Gentoo Archives: gentoo-security

From: shoehn@××××××××××××××××××××.info
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Built in integrity?
Date: Tue, 10 Feb 2004 08:58:51
1 On Mon, 09 Feb 2004 16:14:21 -0800
2 Joby Walker <zorloc@××××××××.org> wrote:
4 [..]
6 > They are not discussing the MD5s stored in the portage tree but the MD5s
7 > that are generated and stored in the CONTENTS files
8 > (/var/db/pkg/*/*/CONTENTS), which are the compiled binaries.
9 >
11 I don't consider all these checks very useful. How can I be sure the files emerge downloaded are really the
12 correct ones? I guess if someone would try fool me with the help of the portage system he would change the
13 version of portage with a "bad" one, that would obtain the "bad" files from an evil server, but with correct
14 MD5 sums. So noone would realize that unless the tampered copy of portage is detected.
16 I would suggest a normal IDS and try to keep the installed program's integrity in place. The portage's
17 integrity is a really hard to solve problem, as long as I cannot be sure that the portage binary does what
18 it is supposed to do.
20 -
21 Sebastian Höhn
24 --
25 gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Built in integrity? James Harlow <james@××××××××××××××.nu>
Re: [gentoo-security] Built in integrity? Ed Grimm <paranoid@××××××××××××××××××××××.org>