| 1 |
On 03/05/15 09:49, Patrick Schleizer wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> I am currently working on a comparison of package managers in which |
| 5 |
> Portage is part of. |
| 6 |
> |
| 7 |
> https://www.whonix.org/wiki/Comparison_Of_Package_Managers |
| 8 |
> |
| 9 |
> Would you be interested to check if the current assessments are correct |
| 10 |
> and/or to fill the remaining gaps? |
| 11 |
> |
| 12 |
> Where the comparison table is hosted or licensing (as long as it's Libre |
| 13 |
> Software) doesn't matter much to me. Edits can be made by both anonymous |
| 14 |
> and registered users. Those need to be verified by admins before they go |
| 15 |
> visible by default for everyone. If you like to have an account without |
| 16 |
> that limitation, that is also possible. |
| 17 |
> |
| 18 |
> Cheers, |
| 19 |
> Patrick |
| 20 |
> |
| 21 |
> |
| 22 |
|
| 23 |
Looking at the table, it appears to be unaware of using |
| 24 |
FEATURES=webrsync-gpg instead of standard rsync. We offer a full copy |
| 25 |
of the repo which is compressed and gpg signed which would seem to |
| 26 |
mitigate a lot of the attacks in your table. Not that I nessesarily |
| 27 |
agree that some of them even qualify as attacks, but webrsync-gpg would |
| 28 |
appear to mitigate attacks 3, 11, and 12. |
| 29 |
|
| 30 |
Attack 7 is possible, but the user would know since emerge tells you |
| 31 |
every time it is run how long it has been since a successful update |
| 32 |
based on a timestamp in the portage tree which for webrsync-gpg the |
| 33 |
attacker cannot modify. |
| 34 |
|
| 35 |
Attack 14 is not possible in gentoo as emerge will jump from mirror to |
| 36 |
mirror until it successfully gets the desired file. One would have to |
| 37 |
own all the mirrors (or at least hijack dns) to stop the user from |
| 38 |
getting a file, but at that point it's no longer a malicious mirror attack. |
| 39 |
|
| 40 |
I used the footnote numbers to reference the attacks. |
| 41 |
|
| 42 |
-Zero |
Archives