Gentoo Archives: gentoo-security

From: "Butterworth
To: shimi <shimi@×××××.net>, "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: RE: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:16:36
Message-Id: 8622C222D2FC9D499533B1EEF631D39303331FA631@IMCMBX1.MITRE.ORG
In Reply to: Re: [gentoo-security] portage/rsync question by shimi
1 Thank you Shimi.
2
3 I also came across a couple threads in my research:
4
5 http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ and
6
7 http://thread.gmane.org/gmane.linux.gentoo.devel/38363
8
9
10
11 These (from back in 2006/2008) discuss potential changes to make the Gentoo software distribution system more secure. Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done? Does anyone know if anything (else) ever came of these proposals?
12
13
14
15 I’m new to the Gentoo community and am playing catch-up in regards to what’s going on. Thank you.
16
17 -John
18
19
20
21 From: shimi [mailto:shimi@×××××.net]
22 Sent: Tuesday, April 06, 2010 4:27 PM
23 To: gentoo-security@l.g.o
24 Cc: Butterworth, John W.
25 Subject: Re: [gentoo-security] portage/rsync question
26
27
28
29
30
31 On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth@×××××.org> wrote:
32
33 Hi. I have a security-related question for Portage/rsync:
34
35
36
37 If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it?
38
39
40
41
42
43 If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy
44
45 If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)
46
47 Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].
48
49 HTH,
50
51 -- Shimi
52
53 [1] Try: cat /usr/portage/www-servers/apache/Manifest

Attachments

File name MIME type
smime.p7s application/x-pkcs7-signature

Replies

Subject Author
Re: [gentoo-security] portage/rsync question shimi <shimi@×××××.net>