| 1 |
On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: |
| 2 |
> Thanks. |
| 3 |
> |
| 4 |
> Do you know if someone makes a change to a copy of apache hosted on a |
| 5 |
> public mirror, will the sync between the servers determine that it's |
| 6 |
> corrupted (via 'bad' checksum) on the public side and replace it? |
| 7 |
|
| 8 |
I can answer this, I run a public Gentoo mirror (not an official one) |
| 9 |
|
| 10 |
If I, or some clown, loads a trojaned copy of Apache source code into |
| 11 |
my distfiles mirror, portage will complain bitterly because the hash in the |
| 12 |
manifest will fail. Then you will know something is wrong. |
| 13 |
|
| 14 |
If I trojan the ebuild and the portage tree to match my trojaned sources, you |
| 15 |
will probably not pick it up. This would be very risky indeed for me to do as |
| 16 |
I can't be sure you will sync the tree and get your distfiles from me. |
| 17 |
|
| 18 |
You can check if my portage tree is up to date and how often I sync it by |
| 19 |
comparing timestamps between me and upstream master at gentoo.org. In my case, |
| 20 |
any trojans I host will get overwritten by gentoo.org masters every 12 hours. |
| 21 |
Except if I have a sneaky --exclude in my rsync command, or my cron syncs and |
| 22 |
then puts the trojan back. |
| 23 |
|
| 24 |
It's not quite as simple as that, but the above will suffice what someone |
| 25 |
already said: You cannot completely 100% trust a public mirror, or even |
| 26 |
gentoo.org for that matter. I know I don't pull sneaky stunts with my mirror |
| 27 |
but I can't prove that to you. I trust upstream to always do the right thing |
| 28 |
and I hope you feel you can trust me likewise. But if you don't, I have no |
| 29 |
choice but to accept your wishes and leave you to run whatever checksum |
| 30 |
comparisons you feel are appropriate for your needs. |
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
> |
| 35 |
> -john |
| 36 |
> |
| 37 |
> -----Original Message----- |
| 38 |
> From: Albert W. Hopkins [mailto:marduk@×××××××××××.org] |
| 39 |
> Sent: Tuesday, April 06, 2010 2:24 PM |
| 40 |
> To: gentoo-user@l.g.o |
| 41 |
> Subject: Re: [gentoo-user] Portage + checksums |
| 42 |
> |
| 43 |
> On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: |
| 44 |
> > How can I verify that the installed packages on a Gentoo system came |
| 45 |
> > from the same source that was on a main rotation mirror and/or |
| 46 |
> > “blessed” by the Gentoo development team? |
| 47 |
> > |
| 48 |
> > |
| 49 |
> > |
| 50 |
> > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am |
| 51 |
> > I only confirming that the source was the same as that which was |
| 52 |
> > downloaded from the mirror? |
| 53 |
> > |
| 54 |
> > |
| 55 |
> > |
| 56 |
> > I guess what I’m getting at is how can I be sure I can trust a |
| 57 |
> > mirror? |
| 58 |
> > |
| 59 |
> > |
| 60 |
> > |
| 61 |
> > Thank you very much in advance for any insight provided, |
| 62 |
> |
| 63 |
> It really depends on your level of paranoia. Ultimately it can't be |
| 64 |
> trusted at all. |
| 65 |
> |
| 66 |
> If you really want to be sure then just the source/manifest from your |
| 67 |
> "trusted" mirror and compare. |
| 68 |
|
| 69 |
-- |
| 70 |
alan dot mckinnon at gmail dot com |
Archives