Gentoo Archives: gentoo-security

From: shimi <shimi@×××××.net>
To: "Butterworth, John W." <jbutterworth@×××××.org>
Cc: "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:20:58
In Reply to: RE: [gentoo-security] portage/rsync question by "Butterworth
1 On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <
2 jbutterworth@×××××.org> wrote:
4 > Thank you Shimi.
5 >
6 > I also came across a couple threads in my research:
7 >
8 >
9 >
10 > and
11 >
12 >
13 >
14 >
15 >
16 > These (from back in 2006/2008) discuss potential changes to make the
17 > Gentoo software distribution system more secure. Does Portage verify
18 > various different hash signatures on the source files as a result of these
19 > recommendations or is this something Portage has always done? Does anyone
20 > know if anything (else) ever came of these proposals?
21 >
22 >
23 >
25 This is with regards to signing; Signing also promises you that the file at
26 Gnetoo's main distribution is intact, otherwise the signing won't be valid.
27 Verifying files integrity by hashes is unrelated; Of course, when you do
28 sign your releases, you have to sign all the relevant stuff, including the
29 hashes of the files, so everyone can verify that *nothing* was tempered. But
30 I was merely talking about verifying that the downloaded file matches what
31 the developer who added the package had on his computer (assuming, again,
32 that you're syncing from a reliable source, and that this reliable source
33 who is syncing from gentoo's main tree, is syncing from a non compromised
34 tree, AND that no one MITM'd it - which is difficult to achieve when rsync
35 traffic is not SSL with verifiable certs AND the packages themselves not
36 signed with PGP etc...)
38 Anyways, the existence of hashes for the files, if memory serves me right,
39 has been there before I started using Gentoo, which dates back to the end of
40 2003... the hash algorithms has changed over time, but that's no biggie -
41 you can look at the Manifest file I gave as example - you just have the hash
42 there along with the algorithm that needs to verify it (and there's more
43 than one...)
45 Sorry but I don't know about the status of actual Signing in Gentoo which is
46 probably handled by the security people... I am merely an old user :)
48 HTH,
50 -- Shimi