From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-security-return-1480-arch-gentoo-security=gentoo.org@lists.gentoo.org>
Received: (qmail 22327 invoked from network); 7 Nov 2004 15:45:00 +0000
Received: from smtp.gentoo.org (156.56.111.197)
  by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 15:45:00 +0000
Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org)
	by smtp.gentoo.org with esmtp (Exim 4.41)
	id 1CQpDw-0001Xh-HZ
	for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 15:45:00 +0000
Received: (qmail 31511 invoked by uid 89); 7 Nov 2004 15:44:39 +0000
Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-security@gentoo.org>
List-Help: <mailto:gentoo-security-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Received: (qmail 24538 invoked from network); 7 Nov 2004 15:44:38 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-security@lists.gentoo.org
From: Peter Simons <simons@cryp.to>
Date: 07 Nov 2004 16:44:32 +0100
Organization: private
Message-ID: <87d5ypu0in.fsf@peti.cryp.to>
References: <418D310B.6050106@ahsoftware.de> <20041106193125.A24826@netdirect.ca> <20041107152350.GF10927@mail.lieber.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: peti.cryp.to
Sender: news <news@sea.gmane.org>
Subject: [gentoo-security] Re: Trojan for Gentoo, part 2
X-Archives-Salt: e2a4cd61-325d-417e-a14d-488feee420d4
X-Archives-Hash: 96be7706f231f9cfaafd5968c8cea6cd

Kurt Lieber writes:

 > I can easily use the same flawed logic and say, "well,
 > none of our users ever bothered to submit patches to
 > portage to implement GPG signing, so it must not be
 > important to them."

I think it is important to stress that everybody is on the
same side here. The important thing right now is how to
_fix_ this problem. As I see it, the simplest possible
solution is this:

 (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
     the Gentoo main system.

 (2) Sign the output with GPG.

 (3) Put it into the portage tree.

 (4) If the user has GPG installed and has manually put the
     appropriate public key in some place _outside_ of the
     portage tree, have "emerge sync" verify that the
     signature is intact and all hashes hold.

Done.

This is by no means perfect, obviously. But even if it means
that a dozen people have access to the secret key that
generates the signature, it is still a lot better than the
current situation.

Peter


--
gentoo-security@gentoo.org mailing list