On 03/05/15 09:49, Patrick Schleizer wrote: > Hi, > > I am currently working on a comparison of package managers in which > Portage is part of. > > https://www.whonix.org/wiki/Comparison_Of_Package_Managers > > Would you be interested to check if the current assessments are correct > and/or to fill the remaining gaps? > > Where the comparison table is hosted or licensing (as long as it's Libre > Software) doesn't matter much to me. Edits can be made by both anonymous > and registered users. Those need to be verified by admins before they go > visible by default for everyone. If you like to have an account without > that limitation, that is also possible. > > Cheers, > Patrick > >
Looking at the table, it appears to be unaware of using FEATURES=webrsync-gpg instead of standard rsync. We offer a full copy of the repo which is compressed and gpg signed which would seem to mitigate a lot of the attacks in your table. Not that I nessesarily agree that some of them even qualify as attacks, but webrsync-gpg would appear to mitigate attacks 3, 11, and 12. Attack 7 is possible, but the user would know since emerge tells you every time it is run how long it has been since a successful update based on a timestamp in the portage tree which for webrsync-gpg the attacker cannot modify. Attack 14 is not possible in gentoo as emerge will jump from mirror to mirror until it successfully gets the desired file. One would have to own all the mirrors (or at least hijack dns) to stop the user from getting a file, but at that point it's no longer a malicious mirror attack. I used the footnote numbers to reference the attacks. -Zero
signature.asc
Description: OpenPGP digital signature
