On Thursday 20 March 2008, Florian Philipp wrote: > Hi list! > > Am I right that there is currently no way portage tries to verify > that the rsync-mirror is not spoofed? > > Doesn't that pose a major threat? If I were able to manipulate the > domain name resolution, I could easily trick gentooers into making > false updates and thus executing a malicious program with > root-permission on their machine. > > > So, why isn't there some kind of public key authentication going on, > at least optionally? > > By the way: How does gentoo's gpg-feature work. The man-page doesn't > contain an explanation.
As Mansour already pointed out, the only check Portage currently does is comparing checksums from the Manifest in your tree (rsync delivered) against the files in the tree (also rsync, will be executed as root) and those downloaded from SRC_URI (usually distfiles). The only way to secure this is to employ signing at the very source (CVS, core gentoo infra) and then check it on the user side. If you want to do this right now, you can change your tree syncing to manually download the gpg-signed portage-latest.tar.bz2 tree snapshots from your local distfiles mirror and check them. If you want to know more details on the plans we have to implement signing via rsync, please read, and feel free to comment on: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ Regards, Robert
signature.asc
Description: This is a digitally signed message part.
