1 |
On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: |
2 |
> Thanks. |
3 |
> |
4 |
> Do you know if someone makes a change to a copy of apache hosted on a |
5 |
> public mirror, will the sync between the servers determine that it's |
6 |
> corrupted (via 'bad' checksum) on the public side and replace it? |
7 |
|
8 |
I can answer this, I run a public Gentoo mirror (not an official one) |
9 |
|
10 |
If I, or some clown, loads a trojaned copy of Apache source code into |
11 |
my distfiles mirror, portage will complain bitterly because the hash in the |
12 |
manifest will fail. Then you will know something is wrong. |
13 |
|
14 |
If I trojan the ebuild and the portage tree to match my trojaned sources, you |
15 |
will probably not pick it up. This would be very risky indeed for me to do as |
16 |
I can't be sure you will sync the tree and get your distfiles from me. |
17 |
|
18 |
You can check if my portage tree is up to date and how often I sync it by |
19 |
comparing timestamps between me and upstream master at gentoo.org. In my case, |
20 |
any trojans I host will get overwritten by gentoo.org masters every 12 hours. |
21 |
Except if I have a sneaky --exclude in my rsync command, or my cron syncs and |
22 |
then puts the trojan back. |
23 |
|
24 |
It's not quite as simple as that, but the above will suffice what someone |
25 |
already said: You cannot completely 100% trust a public mirror, or even |
26 |
gentoo.org for that matter. I know I don't pull sneaky stunts with my mirror |
27 |
but I can't prove that to you. I trust upstream to always do the right thing |
28 |
and I hope you feel you can trust me likewise. But if you don't, I have no |
29 |
choice but to accept your wishes and leave you to run whatever checksum |
30 |
comparisons you feel are appropriate for your needs. |
31 |
|
32 |
|
33 |
|
34 |
> |
35 |
> -john |
36 |
> |
37 |
> -----Original Message----- |
38 |
> From: Albert W. Hopkins [mailto:marduk@×××××××××××.org] |
39 |
> Sent: Tuesday, April 06, 2010 2:24 PM |
40 |
> To: gentoo-user@l.g.o |
41 |
> Subject: Re: [gentoo-user] Portage + checksums |
42 |
> |
43 |
> On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: |
44 |
> > How can I verify that the installed packages on a Gentoo system came |
45 |
> > from the same source that was on a main rotation mirror and/or |
46 |
> > “blessed” by the Gentoo development team? |
47 |
> > |
48 |
> > |
49 |
> > |
50 |
> > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am |
51 |
> > I only confirming that the source was the same as that which was |
52 |
> > downloaded from the mirror? |
53 |
> > |
54 |
> > |
55 |
> > |
56 |
> > I guess what I’m getting at is how can I be sure I can trust a |
57 |
> > mirror? |
58 |
> > |
59 |
> > |
60 |
> > |
61 |
> > Thank you very much in advance for any insight provided, |
62 |
> |
63 |
> It really depends on your level of paranoia. Ultimately it can't be |
64 |
> trusted at all. |
65 |
> |
66 |
> If you really want to be sure then just the source/manifest from your |
67 |
> "trusted" mirror and compare. |
68 |
|
69 |
-- |
70 |
alan dot mckinnon at gmail dot com |