1 |
Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
2 |
|
3 |
|
4 |
> > This is retarded, and I'm too old to do that now, so I went shopping |
5 |
> > for some script/tool/code to do it for me. In fact, I do not know |
6 |
> > why the integrity check is not fully integrated into ftp. rsync. |
7 |
> > or whatever the download tool is? |
8 |
|
9 |
|
10 |
> Perhaps I'm just old and retarded myself, but portage already does what |
11 |
> you want. |
12 |
|
13 |
|
14 |
Well certainly portage is one common methods to download, and we can explore |
15 |
that thread. But, I was thinking more general. Late last night (too late) I |
16 |
decided to download 'lilblue'. I poked around on several gentoo mirrors and |
17 |
could not find it. So with my google hat on, I found it on a non typical |
18 |
(mirror) server. The download was slow (300K) so naturally, I became |
19 |
suspicious. I checked manually, but it was late and I was tired..... |
20 |
|
21 |
|
22 |
The download was kicked off from the web browser (seamonkey). Now that I |
23 |
think about it, there are a myriad of ways to download sources. What I was |
24 |
suggesting (inquiring?) is that a command line tool could be readily |
25 |
developed (if it did not already exist) to simple check any download |
26 |
against the published data (keys/hashes/etc) depending on what is in the |
27 |
local dir where the download lands (is stored). It could be used with |
28 |
protage files too. |
29 |
But why not just use a simple script: |
30 |
|
31 |
<scriptname> package.just.downloaded package.just.downloaded.DIGESTS |
32 |
|
33 |
|
34 |
|
35 |
But then I got to questioning the integrity of both the downloaded sources |
36 |
and the digest originating on the same server........ Probably not a good |
37 |
idea either? So the digest should come from elsewhere? Maybe pull the digest |
38 |
from a certificated (pontificated?) (gentoo controlled) server and not |
39 |
somebody's (low priority managed) public server. Or maybe a master list of |
40 |
digests (hashes) could be included on every (hardened) gentoo box? |
41 |
|
42 |
|
43 |
|
44 |
It seems *everything is hacked* now. Certainly the NSA has fessed up to that |
45 |
as have others. Sure it may be just "good business" but the brightest minds |
46 |
now days are mostly focused on security comprimises, particularly offensive |
47 |
strategies, imho. So it seems to me, there is probably a "fly in the |
48 |
ointment" common to what everyone is doing on a semi regular basis. To me |
49 |
this sort of (justified/unjustified) paranoia should be incorporated into |
50 |
the entire "hardened" effort at gentoo, imho, if not on a wider basis. |
51 |
|
52 |
|
53 |
So please continue the "protage" thread discussion, but also a wider thread |
54 |
concerning other source downloads. Afterall, *if" you can inject* into |
55 |
sources, which are then compiled, who checks under the under_garments? If |
56 |
you read about "The rat" the most secure implementation had/has tainted it's |
57 |
very soul. [1] |
58 |
|
59 |
|
60 |
|
61 |
curiously, |
62 |
James |
63 |
|
64 |
[1] |
65 |
http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/ |