| 1 |
On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. < |
| 2 |
jbutterworth@×××××.org> wrote: |
| 3 |
|
| 4 |
> Thank you Shimi. |
| 5 |
> |
| 6 |
> I also came across a couple threads in my research: |
| 7 |
> |
| 8 |
> |
| 9 |
> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ |
| 10 |
> and |
| 11 |
> |
| 12 |
> http://thread.gmane.org/gmane.linux.gentoo.devel/38363 |
| 13 |
> |
| 14 |
> |
| 15 |
> |
| 16 |
> These (from back in 2006/2008) discuss potential changes to make the |
| 17 |
> Gentoo software distribution system more secure. Does Portage verify |
| 18 |
> various different hash signatures on the source files as a result of these |
| 19 |
> recommendations or is this something Portage has always done? Does anyone |
| 20 |
> know if anything (else) ever came of these proposals? |
| 21 |
> |
| 22 |
> |
| 23 |
> |
| 24 |
|
| 25 |
This is with regards to signing; Signing also promises you that the file at |
| 26 |
Gnetoo's main distribution is intact, otherwise the signing won't be valid. |
| 27 |
Verifying files integrity by hashes is unrelated; Of course, when you do |
| 28 |
sign your releases, you have to sign all the relevant stuff, including the |
| 29 |
hashes of the files, so everyone can verify that *nothing* was tempered. But |
| 30 |
I was merely talking about verifying that the downloaded file matches what |
| 31 |
the developer who added the package had on his computer (assuming, again, |
| 32 |
that you're syncing from a reliable source, and that this reliable source |
| 33 |
who is syncing from gentoo's main tree, is syncing from a non compromised |
| 34 |
tree, AND that no one MITM'd it - which is difficult to achieve when rsync |
| 35 |
traffic is not SSL with verifiable certs AND the packages themselves not |
| 36 |
signed with PGP etc...) |
| 37 |
|
| 38 |
Anyways, the existence of hashes for the files, if memory serves me right, |
| 39 |
has been there before I started using Gentoo, which dates back to the end of |
| 40 |
2003... the hash algorithms has changed over time, but that's no biggie - |
| 41 |
you can look at the Manifest file I gave as example - you just have the hash |
| 42 |
there along with the algorithm that needs to verify it (and there's more |
| 43 |
than one...) |
| 44 |
|
| 45 |
Sorry but I don't know about the status of actual Signing in Gentoo which is |
| 46 |
probably handled by the security people... I am merely an old user :) |
| 47 |
|
| 48 |
HTH, |
| 49 |
|
| 50 |
-- Shimi |
Archives