Gentoo Archives: gentoo-security

From:	Ed Grimm <paranoid@××××××××××××××××××××××.org>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] Re: No, apparently not.
Date:	Mon, 08 Nov 2004 02:57:39
Message-Id:	`Pine.LNX.4.60.0411080300240.5623@mbeq.rq.iarg`
In Reply to:	[gentoo-security] Re: No, apparently not. by Peter Simons

1	On Mon, 8 Nov 2004, Peter Simons wrote:
2	> Ed Grimm writes:
3	>
4	>> So how is it that having the Manifest files all signed,
5	>> and having the Manifest signatures checked, and checking
6	>> all the MD5 sums in the Manifest files against the files
7	>> in the directories only a partial answer?
8	>
9	> /usr/portage/eclass is not authenticated by this and
10	> contains shell code that's (possibly) executed with
11	> superuser privileges.
12
13	Would the obvious fix not be provide signed Manifest files for the
14	eclasses as well?
15
16	Ed
17
18	--
19	gentoo-security@g.o mailing list

Subject	Author
[gentoo-security] Re: No, apparently not.	Peter Simons <simons@××××.to>