Gentoo Archives: gentoo-dev

From: Ali-Reza Anghaie <ali@×××××××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Portage package security model...
Date: Fri, 15 Feb 2002 16:35:49
I searched -dev, -user, and bugzilla but found nothing about signing
packages and keeping sums or some other verification scheme withing the
ebuild script for Portage.

Should I/we consider a RFE for future versions that would (among other
things I'm sure):

- Sign the ebuild scripts w/ a Gentoo key that a few key players would
have access to. Alternatively, for packages not 'core' to the system
they could be signed by the author. Emerge would need a way to manage
this through GPG but we can work on that. ( And you'd accept new keys
manually, have them downloaded from MIT or, etc. )

- Embed in the signed ebuild script the md5sums of all the tarballs and
patches you're about to go snag for building.

This would help w/ security of packages on mirrors and such as well.

I have a sneaking suspicion somebody will say something similar is
already done, it isn't needed, etc. For some reason I would think this
would already be covered in design goals.


Just a thought... -Ali

OpenPGP key 53F7FF5F
Bear in mind that, in 30 years' time, all that might remain of the
system you're building today is the memory of its more newsworthy
security failures. -- 'Security Engineering', Ross Anderson


File name MIME type
signature.asc application/pgp-signature