Thank you Shimi. I also came across a couple threads in my research:
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ and http://thread.gmane.org/gmane.linux.gentoo.devel/38363 These (from back in 2006/2008) discuss potential changes to make the Gentoo software distribution system more secure. Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done? Does anyone know if anything (else) ever came of these proposals? I’m new to the Gentoo community and am playing catch-up in regards to what’s going on. Thank you. -John From: shimi [mailto:sh...@shimi.net] Sent: Tuesday, April 06, 2010 4:27 PM To: gentoo-security@lists.gentoo.org Cc: Butterworth, John W. Subject: Re: [gentoo-security] portage/rsync question On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterwo...@mitre.org> wrote: Hi. I have a security-related question for Portage/rsync: If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it? If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to) Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1]. HTH, -- Shimi [1] Try: cat /usr/portage/www-servers/apache/Manifest
smime.p7s
Description: S/MIME cryptographic signature
