Gentoo Archives: gentoo-dev

From: Ali-Reza Anghaie <ali@×××××××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Portage package security model...
Date: Fri, 15 Feb 2002 16:35:49
Message-Id: 1013812448.1852.54.camel@damascus.packetknife.com
I searched -dev, -user, and bugzilla but found nothing about signing
packages and keeping sums or some other verification scheme withing the
ebuild script for Portage.

Should I/we consider a RFE for future versions that would (among other
things I'm sure):

- Sign the ebuild scripts w/ a Gentoo key that a few key players would
have access to. Alternatively, for packages not 'core' to the system
they could be signed by the author. Emerge would need a way to manage
this through GPG but we can work on that. ( And you'd accept new keys
manually, have them downloaded from MIT or keyserver.net, etc. )

- Embed in the signed ebuild script the md5sums of all the tarballs and
patches you're about to go snag for building.

This would help w/ security of packages on mirrors and such as well.

I have a sneaking suspicion somebody will say something similar is
already done, it isn't needed, etc. For some reason I would think this
would already be covered in design goals.

<shrug>

Just a thought... -Ali

-- 
OpenPGP key 53F7FF5F
--
Bear in mind that, in 30 years' time, all that might remain of the
system you're building today is the memory of its more newsworthy
security failures. -- 'Security Engineering', Ross Anderson

Attachments

File name MIME type
signature.asc application/pgp-signature