From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10108 invoked from network); 8 Nov 2004 02:57:39 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 8 Nov 2004 02:57:39 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQzis-0004AA-Aw for arch-gentoo-security@lists.gentoo.org; Mon, 08 Nov 2004 02:57:38 +0000 Received: (qmail 2034 invoked by uid 89); 8 Nov 2004 02:57:17 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 18706 invoked from network); 8 Nov 2004 02:57:16 +0000 Date: Mon, 8 Nov 2004 03:01:31 +0000 (GMT) From: Ed Grimm To: gentoo-security@lists.gentoo.org In-Reply-To: <87654hqchc.fsf@peti.cryp.to> Message-ID: References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> <20041107154046.GG10927@mail.lieber.org> <20041107120135.C9045@netdirect.ca> <20041107232655.GN10927@mail.lieber.org> <87zn1tqks5.fsf_-_@peti.cryp.to> <418ED720.5080509@orbdesigns.com> <87654hqchc.fsf@peti.cryp.to> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [gentoo-security] Re: No, apparently not. X-Archives-Salt: 292077fa-792a-4e24-86c7-31002377e72f X-Archives-Hash: 99765a76656d64d79525ef3a57d96685 On Mon, 8 Nov 2004, Peter Simons wrote: > Ed Grimm writes: > >> So how is it that having the Manifest files all signed, >> and having the Manifest signatures checked, and checking >> all the MD5 sums in the Manifest files against the files >> in the directories only a partial answer? > > /usr/portage/eclass is not authenticated by this and > contains shell code that's (possibly) executed with > superuser privileges. Would the obvious fix not be provide signed Manifest files for the eclasses as well? Ed -- gentoo-security@gentoo.org mailing list