1 |
On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. < |
2 |
jbutterworth@×××××.org> wrote: |
3 |
|
4 |
> Thank you Shimi. |
5 |
> |
6 |
> I also came across a couple threads in my research: |
7 |
> |
8 |
> |
9 |
> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ |
10 |
> and |
11 |
> |
12 |
> http://thread.gmane.org/gmane.linux.gentoo.devel/38363 |
13 |
> |
14 |
> |
15 |
> |
16 |
> These (from back in 2006/2008) discuss potential changes to make the |
17 |
> Gentoo software distribution system more secure. Does Portage verify |
18 |
> various different hash signatures on the source files as a result of these |
19 |
> recommendations or is this something Portage has always done? Does anyone |
20 |
> know if anything (else) ever came of these proposals? |
21 |
> |
22 |
> |
23 |
> |
24 |
|
25 |
This is with regards to signing; Signing also promises you that the file at |
26 |
Gnetoo's main distribution is intact, otherwise the signing won't be valid. |
27 |
Verifying files integrity by hashes is unrelated; Of course, when you do |
28 |
sign your releases, you have to sign all the relevant stuff, including the |
29 |
hashes of the files, so everyone can verify that *nothing* was tempered. But |
30 |
I was merely talking about verifying that the downloaded file matches what |
31 |
the developer who added the package had on his computer (assuming, again, |
32 |
that you're syncing from a reliable source, and that this reliable source |
33 |
who is syncing from gentoo's main tree, is syncing from a non compromised |
34 |
tree, AND that no one MITM'd it - which is difficult to achieve when rsync |
35 |
traffic is not SSL with verifiable certs AND the packages themselves not |
36 |
signed with PGP etc...) |
37 |
|
38 |
Anyways, the existence of hashes for the files, if memory serves me right, |
39 |
has been there before I started using Gentoo, which dates back to the end of |
40 |
2003... the hash algorithms has changed over time, but that's no biggie - |
41 |
you can look at the Manifest file I gave as example - you just have the hash |
42 |
there along with the algorithm that needs to verify it (and there's more |
43 |
than one...) |
44 |
|
45 |
Sorry but I don't know about the status of actual Signing in Gentoo which is |
46 |
probably handled by the security people... I am merely an old user :) |
47 |
|
48 |
HTH, |
49 |
|
50 |
-- Shimi |