Gentoo Archives: gentoo-security

From: shimi <shimi@×××××.net>
To: gentoo-security@l.g.o
Cc: jbutterworth@×××××.org
Subject: Re: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:10:01
Message-Id: t2m9eba290f1004061326p7c5ea227id8b160d1839f6fbc@mail.gmail.com
In Reply to: [gentoo-security] portage/rsync question by "Butterworth
On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <
jbutterworth@×××××.org> wrote:

> Hi. I have a security-related question for Portage/rsync: > > > > If someone makes a change to a copy of a program (say a backdoor added to > apache) hosted on a public mirror, will the sync’ing between the public > mirror and the main rotation mirror determine that it's corrupted (via 'bad' > checksum) on the public-mirror side and replace it? > > > > > If it's hosted @ Gentoo, if the main server is intact, the next sync will
overwrite the mirror-local copy If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to) Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1]. HTH, -- Shimi [1] Try: cat /usr/portage/www-servers/apache/Manifest

Replies

Subject Author
RE: [gentoo-security] portage/rsync question "Butterworth