<div dir="ltr"><br><div class="gmail_quote">On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <span dir="ltr"><<a href="mailto:jbutterworth@...">jbutterworth@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Thank you Shimi. </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">I also came across a couple threads in my research:</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/" target="_blank">http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/</a>
and</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363" target="_blank">http://thread.gmane.org/gmane.linux.gentoo.devel/38363</a></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">These (from back in 2006/2008) discuss potential changes to
make the Gentoo software distribution system more secure. Does Portage verify
various different hash signatures on the source files as a result of these
recommendations or is this something Portage has always done? Does anyone know
if anything (else) ever came of these proposals? </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p></div></div></blockquote><div><br>This is with regards to signing; Signing also promises you that the file at Gnetoo's main distribution is intact, otherwise the signing won't be valid. Verifying files integrity by hashes is unrelated; Of course, when you do sign your releases, you have to sign all the relevant stuff, including the hashes of the files, so everyone can verify that *nothing* was tempered. But I was merely talking about verifying that the downloaded file matches what the developer who added the package had on his computer (assuming, again, that you're syncing from a reliable source, and that this reliable source who is syncing from gentoo's main tree, is syncing from a non compromised tree, AND that no one MITM'd it - which is difficult to achieve when rsync traffic is not SSL with verifiable certs AND the packages themselves not signed with PGP etc...)<br>
<br>Anyways, the existence of hashes for the files, if memory serves me right, has been there before I started using Gentoo, which dates back to the end of 2003... the hash algorithms has changed over time, but that's no biggie - you can look at the Manifest file I gave as example - you just have the hash there along with the algorithm that needs to verify it (and there's more than one...)<br>
<br>Sorry but I don't know about the status of actual Signing in Gentoo which is probably handled by the security people... I am merely an old user :)<br><br>HTH,<br><br>-- Shimi<br></div></div><br></div>
|
