-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On April 13, 2004 04:50, Kevin Anderson wrote: > on the off chance you emerge a package at a mirror that has been > compromised, you would simply re-emerge the package and the update would be > done.
once you knew it was compromised ... by which point it could well be too late ... > 1) RPMs and other packages are compromised just as easily as source. And > in almost every experience I've ever heard, random RPMs will have problems > far before a source compile, particularly Gentoo's, but the one person I > knew who uses Sorcerer said the same thing. not really; RPMs from known sources are generally GPG'd signed. this means you can check the provinance of a package by checking the signature. this is not something that is fakable (within the reaches of mere mortals, anyways). so RPMs from Debian, SUSE, Red Hat, Mandrake and so on are NOT compromised as easily as Gentoo's ebuilds. > 2) The official Gentoo mirrors rsync their portage trees daily. This > means that either the entire source would be affected (which would be > quickly noticed) or the compromised package would be overwritten within a > day. Packages in the portage source tree should never be updated by an > rsync. They should either be deleted (as old) and rewritten, or not > touched. even I could write a cronjob to grep the rsync log for "updated". > There may be an occasional exception when something went to or from a > masked state, but that's about it, and even there, it might be wiser to > simply issue a newer package and mask the new one. I'm not sure how that's > done now. all well and good except that once owned, any of these checks and ballances can be worked around. such as: turn off rsync'ing of the file(s0 in question, fake the logs, etc... this also assumes the admins are always watching, and i would wager you could easily find a multi-day window within which your changes would go completely unnoticed without having to do anything overtly nefarious. not being cryptographically signed is a serious security flaw. they are addressing it, and that is the good news. until that time, however, portage is fundamentally untrustable. the same goes for random RPMs you pull off the net, of course. - -- Aaron J. Seigo GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 while (!horse()); cart(); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQFAfHWh1rcusafx20MRArnIAJ92IkGWi5UrnTZZVJ7SCjdRINSk7QCcC+xJ LasR0V3HSXqAf/D/Klg2Hes= =7jpq -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
