From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-portage-dev+bounces-2215-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1L7jUF-0008Iw-J5
	for garchives@archives.gentoo.org; Wed, 03 Dec 2008 04:37:21 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6A4AFE048F;
	Wed,  3 Dec 2008 04:37:17 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 3CA5BE048F
	for <gentoo-portage-dev@lists.gentoo.org>; Wed,  3 Dec 2008 04:37:17 +0000 (UTC)
Received: from mail.isohunt.com (b01.ext.isohunt.com [208.71.112.51])
	by smtp.gentoo.org (Postfix) with ESMTP id 7CF6364386
	for <gentoo-portage-dev@lists.gentoo.org>; Wed,  3 Dec 2008 04:37:16 +0000 (UTC)
Received: (qmail 27951 invoked from network); 3 Dec 2008 04:37:14 -0000
Received: from S010600022af11287.vc.shawcable.net (HELO curie.orbis-terrarum.net) (24.84.179.214)
  (smtp-auth username robbat2@isohunt.com, mechanism login)
  by mail.isohunt.com (qpsmtpd/0.33-dev on beta01) with (AES256-SHA encrypted) ESMTPSA; Wed, 03 Dec 2008 04:37:14 +0000
Received: (qmail 15367 invoked by uid 10000); 2 Dec 2008 19:19:58 -0800
Date: Tue, 2 Dec 2008 19:19:58 -0800
From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] About boosting sync
Message-ID: <20081203031958.GE28859@curie-int.orbis-terrarum.net>
References: <cea53e3c0812020946pc830a2bgb6d4d81fa8e9ef10@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-portage-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-portage-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-portage-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-portage-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-portage-dev.gentoo.org>
X-BeenThere: gentoo-portage-dev@lists.gentoo.org
Reply-to: gentoo-portage-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="iDgFKLa5Kp4Ejml3"
Content-Disposition: inline
In-Reply-To: <cea53e3c0812020946pc830a2bgb6d4d81fa8e9ef10@mail.gmail.com>
User-Agent: Mutt/1.5.16 (2007-06-09)
X-Archives-Salt: ee082120-1f85-4245-9d86-e191cfe88288
X-Archives-Hash: 14fd57c60b72616a1be05e4b6fbc5fe9


--iDgFKLa5Kp4Ejml3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 02, 2008 at 07:46:13PM +0200, Tambet wrote:
> Has anyone ever noticed that portage tree contains a lot of md5 hashes,
> which are not at all important for using it? I think that it does not make
> reliability or functionality smaller any bit if those would all stay in s=
ync
> servers - anyway, syncing would go much faster and this tree smaller. What
> about removing all those md5 hashes and downloading them only when they're
> needed?
Umm, what are you on? There are no more MD5s in Manifest2. It should be
only RMD160, SHA1, SHA256. If you DO find a Manifest with an MD5, I'd
REALLY like to know about it.

As for the important of Manifests and the hashes, I'd like to offer the
following as suggested reading:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
Specifically, see the papers page, and find the paper from CCS 2008 [1].
He DID solicit input from me on how Gentoo deals with the issue, and
gave it fair coverage in my opinion. It's CRITICALLY important that the
checksums go with the content, and that the checksums are later verified
themselves against a known up to date source.

If you're interested in the Gentoo side of it, specifically how it ties
into tree-signing, read my gleps:
http://www.gentoo.org/proj/en/glep/glep-0057.html
http://www.gentoo.org/proj/en/glep/glep-0058.html
http://www.gentoo.org/proj/en/glep/glep-0059.html
http://www.gentoo.org/proj/en/glep/glep-0060.html
http://www.gentoo.org/proj/en/glep/glep-0061.html

[1] Cappos, J. et al. "A Look In the Mirror: Attacks on Package
Managers". (2008). Published in the proceedings of ACM CCS 2008.

--=20
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

--iDgFKLa5Kp4Ejml3
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it.

iEYEARECAAYFAkk1+t4ACgkQPpIsIjIzwizbVwCg1l5gd3bSnFpCIIxo7TwqWqHX
+hoAn2WMZkt42SDRDQ96mX0c8vzOWqCL
=ySW+
-----END PGP SIGNATURE-----

--iDgFKLa5Kp4Ejml3--