1 |
On Thursday 20 March 2008, Florian Philipp wrote: |
2 |
> Hi list! |
3 |
> |
4 |
> Am I right that there is currently no way portage tries to verify |
5 |
> that the rsync-mirror is not spoofed? |
6 |
> |
7 |
> Doesn't that pose a major threat? If I were able to manipulate the |
8 |
> domain name resolution, I could easily trick gentooers into making |
9 |
> false updates and thus executing a malicious program with |
10 |
> root-permission on their machine. |
11 |
> |
12 |
> |
13 |
> So, why isn't there some kind of public key authentication going on, |
14 |
> at least optionally? |
15 |
> |
16 |
> By the way: How does gentoo's gpg-feature work. The man-page doesn't |
17 |
> contain an explanation. |
18 |
|
19 |
As Mansour already pointed out, the only check Portage currently does is |
20 |
comparing checksums from the Manifest in your tree (rsync delivered) |
21 |
against the files in the tree (also rsync, will be executed as root) |
22 |
and those downloaded from SRC_URI (usually distfiles). |
23 |
|
24 |
The only way to secure this is to employ signing at the very source |
25 |
(CVS, core gentoo infra) and then check it on the user side. If you |
26 |
want to do this right now, you can change your tree syncing to manually |
27 |
download the gpg-signed portage-latest.tar.bz2 tree snapshots from your |
28 |
local distfiles mirror and check them. |
29 |
|
30 |
If you want to know more details on the plans we have to implement |
31 |
signing via rsync, please read, and feel free to comment on: |
32 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ |
33 |
|
34 |
Regards, |
35 |
Robert |