Mansour Moufid wrote:
An attacker would need to be able to manipulate both the rsync server and the actual downloaded packages since Portage verifies checksums (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, using DNS spoofing.
I don't think this is exactly true, since when I do a emerge --rsync I also get patches, which can get applied. It could also download a different package without a second DNS spoof. Someone could change what it is trying to download (SRC_URI), it fails to find it in the package mirrors and downloads the package from a malicious site.
Russell Valentine -- gentoo-security@lists.gentoo.org mailing list
