Gentoo Archives: gentoo-security

From: Robert Buchholz <rbu@g.o>
To: gentoo-security@l.g.o
Cc: Florian Philipp <lists@××××××××××××××××××.net>
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 13:08:48
Message-Id: 200803201407.40543.rbu@gentoo.org
In Reply to: [gentoo-security] Portage rsync security by Florian Philipp
1 On Thursday 20 March 2008, Florian Philipp wrote:
2 > Hi list!
3 >
4 > Am I right that there is currently no way portage tries to verify
5 > that the rsync-mirror is not spoofed?
6 >
7 > Doesn't that pose a major threat? If I were able to manipulate the
8 > domain name resolution, I could easily trick gentooers into making
9 > false updates and thus executing a malicious program with
10 > root-permission on their machine.
11 >
12 >
13 > So, why isn't there some kind of public key authentication going on,
14 > at least optionally?
15 >
16 > By the way: How does gentoo's gpg-feature work. The man-page doesn't
17 > contain an explanation.
18
19 As Mansour already pointed out, the only check Portage currently does is
20 comparing checksums from the Manifest in your tree (rsync delivered)
21 against the files in the tree (also rsync, will be executed as root)
22 and those downloaded from SRC_URI (usually distfiles).
23
24 The only way to secure this is to employ signing at the very source
25 (CVS, core gentoo infra) and then check it on the user side. If you
26 want to do this right now, you can change your tree syncing to manually
27 download the gpg-signed portage-latest.tar.bz2 tree snapshots from your
28 local distfiles mirror and check them.
29
30 If you want to know more details on the plans we have to implement
31 signing via rsync, please read, and feel free to comment on:
32 http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/
33
34 Regards,
35 Robert

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] Portage rsync security Matthias Geerdsen <vorlon@g.o>