| 1 |
Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
| 2 |
|
| 3 |
|
| 4 |
> > This is retarded, and I'm too old to do that now, so I went shopping |
| 5 |
> > for some script/tool/code to do it for me. In fact, I do not know |
| 6 |
> > why the integrity check is not fully integrated into ftp. rsync. |
| 7 |
> > or whatever the download tool is? |
| 8 |
|
| 9 |
|
| 10 |
> Perhaps I'm just old and retarded myself, but portage already does what |
| 11 |
> you want. |
| 12 |
|
| 13 |
|
| 14 |
Well certainly portage is one common methods to download, and we can explore |
| 15 |
that thread. But, I was thinking more general. Late last night (too late) I |
| 16 |
decided to download 'lilblue'. I poked around on several gentoo mirrors and |
| 17 |
could not find it. So with my google hat on, I found it on a non typical |
| 18 |
(mirror) server. The download was slow (300K) so naturally, I became |
| 19 |
suspicious. I checked manually, but it was late and I was tired..... |
| 20 |
|
| 21 |
|
| 22 |
The download was kicked off from the web browser (seamonkey). Now that I |
| 23 |
think about it, there are a myriad of ways to download sources. What I was |
| 24 |
suggesting (inquiring?) is that a command line tool could be readily |
| 25 |
developed (if it did not already exist) to simple check any download |
| 26 |
against the published data (keys/hashes/etc) depending on what is in the |
| 27 |
local dir where the download lands (is stored). It could be used with |
| 28 |
protage files too. |
| 29 |
But why not just use a simple script: |
| 30 |
|
| 31 |
<scriptname> package.just.downloaded package.just.downloaded.DIGESTS |
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
But then I got to questioning the integrity of both the downloaded sources |
| 36 |
and the digest originating on the same server........ Probably not a good |
| 37 |
idea either? So the digest should come from elsewhere? Maybe pull the digest |
| 38 |
from a certificated (pontificated?) (gentoo controlled) server and not |
| 39 |
somebody's (low priority managed) public server. Or maybe a master list of |
| 40 |
digests (hashes) could be included on every (hardened) gentoo box? |
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
It seems *everything is hacked* now. Certainly the NSA has fessed up to that |
| 45 |
as have others. Sure it may be just "good business" but the brightest minds |
| 46 |
now days are mostly focused on security comprimises, particularly offensive |
| 47 |
strategies, imho. So it seems to me, there is probably a "fly in the |
| 48 |
ointment" common to what everyone is doing on a semi regular basis. To me |
| 49 |
this sort of (justified/unjustified) paranoia should be incorporated into |
| 50 |
the entire "hardened" effort at gentoo, imho, if not on a wider basis. |
| 51 |
|
| 52 |
|
| 53 |
So please continue the "protage" thread discussion, but also a wider thread |
| 54 |
concerning other source downloads. Afterall, *if" you can inject* into |
| 55 |
sources, which are then compiled, who checks under the under_garments? If |
| 56 |
you read about "The rat" the most secure implementation had/has tainted it's |
| 57 |
very soul. [1] |
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
curiously, |
| 62 |
James |
| 63 |
|
| 64 |
[1] |
| 65 |
http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/ |
Archives