Gentoo Archives: gentoo-security

From: "Butterworth
To: shimi <shimi@×××××.net>, "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: RE: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:16:36
Message-Id: 8622C222D2FC9D499533B1EEF631D39303331FA631@IMCMBX1.MITRE.ORG
In Reply to: Re: [gentoo-security] portage/rsync question by shimi
Thank you Shimi.  

I also came across a couple threads in my research:  and


These (from back in 2006/2008) discuss potential changes  to make the Gentoo software distribution system more secure.   Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done?  Does anyone know if anything (else) ever came of these proposals? 


I’m new to the Gentoo community and am playing catch-up in regards to what’s going on.  Thank you. 



From: shimi [mailto:shimi@×××××.net] 
Sent: Tuesday, April 06, 2010 4:27 PM
To: gentoo-security@l.g.o
Cc: Butterworth, John W.
Subject: Re: [gentoo-security] portage/rsync question



On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth@×××××.org> wrote:

Hi.  I have a security-related question for Portage/rsync: 


If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it? 



If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at, when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].


-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest


File name MIME type
smime.p7s application/x-pkcs7-signature


Subject Author
Re: [gentoo-security] portage/rsync question shimi <shimi@×××××.net>