From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=DMARC_MISSING, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_DYNAMIC autolearn=unavailable autolearn_force=no version=4.0.0 Received: from yatima.jean.nu (leg-66-247-54-74-CHI.sprinthome.com [66.247.54.74]) by chiba.3jane.net (Postfix) with ESMTP id 0A4F0ABBBA for ; Sat, 3 Aug 2002 11:09:08 -0500 (CDT) Received: from yatima.jean.nu (localhost [127.0.0.1]) by yatima.jean.nu (Postfix) with ESMTP id 6CB83E9B21; Sat, 3 Aug 2002 11:09:07 -0500 (CDT) Content-Type: text/plain; charset="iso-8859-1" From: Jean-Michel Smith To: Johannes Findeisen , gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] possible trojan in openssh-3.4p1 Date: Sat, 3 Aug 2002 11:09:07 -0500 User-Agent: KMail/1.4.2 References: <20020801103714.A26100@capsi.com> <200208011539.05025.rkaper@ism.nl> <200208020936.40432.you@hanez.org> In-Reply-To: <200208020936.40432.you@hanez.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200208031109.07227.jean@kcco.com> Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 0b21321b-ba8e-4f31-adca-e60165843187 X-Archives-Hash: 0ea6f77e114339040396c43ab7a33595 On Friday 02 August 2002 02:36 am, Johannes Findeisen wrote: > if this should be a option in portage, we always need to download two f= iles > from two servers to check if the md5sum are the same... :-( > IMO it is good as it is. the gentoo-core team are providing a md5sum in= the > portage tree and that should be enough. Until it isn't, which is going to happen, sooner or later. Ideally each developer would GPG sign their source tarballs (and have the= ir=20 public keys available from several independent locations, such as=20 key-servers, a public key-ring available for download, and purchase on CD= R). But at the very least, Gentoo should have a public keyring available (aga= in,=20 from multiple sources to insure the keyring itself hasn't been modified),= and=20 each ebuild and digest file should be cryptographically signed. Emerge=20 should check those signatures and validate them before installing an ebui= ld. If this issue isn't addressed in some fashion, it really only becomes a=20 question of time before Gentoo is trojanned via the ebuild/emerge process= ,=20 and the entire distro gets a big black eye as a result, and then addresse= s=20 these concerns anyway. Why not do it proactively instead? Jean.