Re: [gentoo-security] Re: Gentoo Portage Attack Tree

[Ed Grimm <paranoid@gentoo.evolution.tgape.org>]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=utf-8, Size: 1637 bytes --]

On Mon, 8 Nov 2004, Peter Simons wrote:
> Ervin Németh writes:
>> How about this: the developers have to sign the files
>> they upload, but do this before they upload them?
>
> I believe that it is practically unfeasible to verify the
> signatures of dozens of people which are spread over dozens
> of different directories. By building the signatures into
> Portage only, you require the user to have a working Gentoo
> system before he can verify he has a _real_ Gentoo system.
> When Portage runs the checks, it is too late. You have to be
> able to verify the authenticity of your downloaded files
> before you start the first executable you've downloaded.
> That's why I am in favor of a simple, ordinary text file
> which is GPG-signed and contains ordinary hashes.

Before you have a Gentoo system, you need to download a Gentoo CD image,
or you need to get a Gentoo CD.  The Gentoo CD images can be signed
themselves, so you can verify it before it is extracted.

After you've booted with the install image, it's too late - how do you
trust the software on the install disk, if you haven't checked it
already?

Is there a way you can install Gentoo without using an install image?
Well, I know one, but it basically would be 'download portage code,
check signature, install code, run code'.  I don't see the problem.  The
only way I'd see a problem here is if the user didn't have cryptographic
checking software already, in which case it isn't a problem, because the
user is trusting everything.  (That is, there's nothing you can do to
assure them of the Gentoo package authenticity, so there's no need to
worry about it.)

Ed

[-- Attachment #2: Type: text/plain, Size: 42 bytes --]

--
gentoo-security@gentoo.org mailing list