From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10202 invoked from network); 7 Nov 2004 15:49:45 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 15:49:45 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQpIW-0000B5-Rk for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 15:49:44 +0000 Received: (qmail 13904 invoked by uid 89); 7 Nov 2004 15:49:23 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 31015 invoked from network); 7 Nov 2004 15:49:22 +0000 Date: Sun, 7 Nov 2004 15:49:22 +0000 From: Kurt Lieber To: gentoo-security@lists.gentoo.org Message-ID: <20041107154922.GH10927@mail.lieber.org> Mail-Followup-To: gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <20041106193125.A24826@netdirect.ca> <20041107152350.GF10927@mail.lieber.org> <87d5ypu0in.fsf@peti.cryp.to> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="j9l351BvxrggDbKi" Content-Disposition: inline In-Reply-To: <87d5ypu0in.fsf@peti.cryp.to> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-security] Re: Trojan for Gentoo, part 2 X-Archives-Salt: 5cd23ed6-44a3-4451-82af-e37073390f4a X-Archives-Hash: cace574136396fc0adff90c9c4fbee1c --j9l351BvxrggDbKi Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 07, 2004 at 04:44:32PM +0100 or thereabouts, Peter Simons wrote: > I think it is important to stress that everybody is on the > same side here. The important thing right now is how to > _fix_ this problem. As I see it, the simplest possible > solution is this: >=20 > (1) Run "find /usr/portage -type f | xargs sha1sum -b" on > the Gentoo main system. >=20 > (2) Sign the output with GPG. >=20 > (3) Put it into the portage tree. >=20 > (4) If the user has GPG installed and has manually put the > appropriate public key in some place _outside_ of the > portage tree, have "emerge sync" verify that the > signature is intact and all hashes hold. >=20 > Done. People place way to much reliance on GPG and other public/private key systems... Let's assume we implement the above steps. What does that buy you? How do you know how many people have a copy of the private key used to sign that data? How do you know what sort of passphrase is used on it? (or if it even has a passphrase) How do you know the box that holds the private key is secure? Most importantly, how do you know when to stop? At some point, you're going to have to accept some level of risk. =20 --kurt --j9l351BvxrggDbKi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBjkQCJPpRNiftIEYRAk/yAJ9P2LXJJK+kYsBuLZGtIuSu/tTP0ACdFKEj 2RjuiVGYOsmnq+t4YTe0ne4= =JRgl -----END PGP SIGNATURE----- --j9l351BvxrggDbKi--