From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27055 invoked by uid 1002); 7 Sep 2003 17:50:12 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 16528 invoked from network); 7 Sep 2003 17:50:11 -0000 From: Jan Krueger Organization: microgalaxy.net To: Thomas de Grenier de Latour , gentoo-dev@gentoo.org Date: Sun, 7 Sep 2003 19:55:39 +0000 User-Agent: KMail/1.5.2 References: <200309071907.03222.jk@microgalaxy.net> <20030907193918.06808631.degrenier@easyconnect.fr> In-Reply-To: <20030907193918.06808631.degrenier@easyconnect.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309071955.39319.jk@microgalaxy.net> Subject: Re: [gentoo-dev] Some suggestions X-Archives-Salt: 15879d32-c515-4308-831d-e17598b3ca56 X-Archives-Hash: da9191a01d376645933698b12f3925eb On Sunday 07 September 2003 17:39, Thomas de Grenier de Latour wrote: > On Sun, 7 Sep 2003 19:07:03 +0000 > > Jan Krueger wrote: > > The notable difference is: > > /usr/sbin/foo is not executed automaticly while emerge. > > You lack imagination: the bash scripts used by emerge are just > as easy to corrupt using a src_install only ebuild. So this clearly is a bug that must be fixed. > > On the other hand i try discuss on g-hardened how to detect malicious > > code. > > Cryptographic signature as suggested by avenj would be a much more > realistic approach here. Since I do my phd in the security-oriented > program analysis domain, it breaks my heart to say that, but it's a > fact. but even cryptographic signatures got compromised (by faulty algorithms, users handling the keys unappropriate, ..., and even gentoo-core [supposed to handle the keys] is made out of humans and humans do make mistakes) So cryptographics signatures alone are not the holy grail as isnt security-oriented program analysis. But each one of them raises the bar a little bit, and both of them a little bit more :) So does fixing the security holes in portage. We have identified 2 big ones so far: 1. functions like pkg_postinst 2. easy to compromise bash scripts and another one is already well known: 3. the centralized portage tree That leads me to the conclusions: portage is unsecure by design Please (the one responsible for it) clearify the statement: "Thanks to a technology called Portage, Gentoo Linux can become an ideal secure server" in http://www.gentoo.org/main/en/about.xml I have to remove gentoo from my servers a little bit faster it seems... Jan -- gentoo-dev@gentoo.org mailing list