From: Mark Kubacki <wmark@hurrikane.de>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers
Date: Fri, 6 Mar 2015 14:53:02 +0100 [thread overview]
Message-ID: <CAHw5crJ5oYqT-hXmpf0zzzf18J29vDzPpRLd+FyuzS6z2+MyQg@mail.gmail.com> (raw)
In-Reply-To: <54F8FB24.5060906@gentoo.org>
2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina <zerochaos@gentoo.org>:
>
> tl;dr webrsync-gpg is a built in feature of the package manager which
> OPTIONALLY adds a significant amount of security against the attacks
> described on your website. This is not currently the default setting,
> however, it is described in many hardening guides for gentoo and widely
> used among the security conscious.
Without numbers backing that up this is speculation.
Given the default settings (without webrsync-gpg)…:
> (8) Wrong software installation.
Observe the DNS requests for the rsync- or webrsync mirror. They're
not encrypted and give you a nice heads-up.
A. (data in transit) It's almost never HTTPS and/or without
authentication, so you can easily proceed to hijacking the connection.
- Primed that way (DNS) insert a new rule into a router (or
nameserver) along the path or within the DC to redirect the
transaction. (See "quantum insert".)
B. (data at rest) Bribe or coerce the owner of the (portage tree)
mirror. Manifests and ebuilds are not centrally signed and there is no
authoritative "signing transparency"/record (see "certificate
transparency").
--
Mark
next prev parent reply other threads:[~2015-03-06 13:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-05 14:49 [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers Patrick Schleizer
2015-03-05 15:30 ` Rick "Zero_Chaos" Farina
2015-03-05 19:14 ` Patrick Schleizer
2015-03-06 0:56 ` Rick "Zero_Chaos" Farina
2015-03-06 13:53 ` Mark Kubacki [this message]
2015-03-06 15:20 ` Rick "Zero_Chaos" Farina
2015-03-06 16:13 ` Brian Dolbec
2015-03-06 17:50 ` Mark Kubacki
2015-03-07 23:26 ` Zac Medico
2015-03-08 1:24 ` Brian Dolbec
2015-03-08 2:31 ` Zac Medico
2015-03-08 5:44 ` Brian Dolbec
2015-03-08 14:59 ` Patrick Schleizer
2015-03-08 20:10 ` Zac Medico
2015-03-08 15:02 ` Mark Kubacki
2015-03-08 21:02 ` Zac Medico
2015-03-06 15:43 ` Patrick Schleizer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHw5crJ5oYqT-hXmpf0zzzf18J29vDzPpRLd+FyuzS6z2+MyQg@mail.gmail.com \
--to=wmark@hurrikane.de \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox