Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Peter Simons <simons@××××.to>
To: gentoo-security@l.g.o
Subject: [gentoo-security] How to authenticate the portage tree
Date: Mon, 08 Nov 2004 02:42:02
Message-Id: 87acttqcz1.fsf_-_@peti.cryp.to
In Reply to: [gentoo-security] Re: Trojan for Gentoo, part 2 by Peter Simons
1 (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
2 the Gentoo main system.
3
4 (2) Sign the output with GPG.
5
6 (3) Put it into the portage tree.
7
8 (4) If the user has GPG installed and has manually put the
9 appropriate public key in some place _outside_ of the
10 portage tree, have "emerge sync" verify that the
11 signature is intact and all hashes hold.
12
13 (5) Missing files in the tree are okay (rsync_excludes),
14 files in the tree which do not have a hash are not okay.
15
16
17 --
18 gentoo-security@g.o mailing list

Replies

Subject Author
[gentoo-security] Gentoo Portage Attack Tree "Ervin Németh" <ervin.nemeth@××××.hu>
Re: [gentoo-security] How to authenticate the portage tree Marius Mauch <genone@g.o>
Report Message
Find on MARC Find on Google Groups