From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzFeK-00058i-7c for garchives@archives.gentoo.org; Tue, 06 Apr 2010 20:45:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1355BE0B6E; Tue, 6 Apr 2010 20:44:42 +0000 (UTC) Received: from mail-bw0-f223.google.com (mail-bw0-f223.google.com [209.85.218.223]) by pigeon.gentoo.org (Postfix) with ESMTP id C61A7E0B6E for ; Tue, 6 Apr 2010 20:44:41 +0000 (UTC) Received: by bwz23 with SMTP id 23so294058bwz.26 for ; Tue, 06 Apr 2010 13:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=4+afXaG3nKb/StIbxRm1AFiVyhTbxqv2NgSkc+7zHTw=; b=qQOiPaRg0pfujycavnhQLOyvuUdRZdHk1BF65fT6lD8hFUDo+xCFoahqBYxWnU5m4U 9LBqYCyi2im78QJEK+OIBjSAONmO2WjfN6LBh5uLOWb7g2G2M8ZcwNErZyjiOULHMkQC DGY1mvCU5l/Msa8H9jnDTKPBAKuu42r5QuKnk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=jrut7UIUnZH1ajmOrA3J1U+oDHotafHxUuKC40mikTsEDjBtmIay5o+lK/TnTmLh+r OjRrZmTRnthqSZANyBalya4A3VSsoXqVzjcLlauH/Z8osr64z6SMH3f2llcaHB8ObC8u B+1Sf4kikZPMYOXm5UVF5RJEcS2wY4cmA0HiU= Received: by 10.204.13.68 with SMTP id b4mr8576351bka.133.1270586680303; Tue, 06 Apr 2010 13:44:40 -0700 (PDT) Received: from nazgul.localnet (196-210-153-170-rrdg-esr-2.dynamic.isadsl.co.za [196.210.153.170]) by mx.google.com with ESMTPS id 16sm6440393bwz.13.2010.04.06.13.44.37 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 06 Apr 2010 13:44:38 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums Date: Tue, 6 Apr 2010 22:41:18 +0200 User-Agent: KMail/1.13.1 (Linux/2.6.33-zen1; KDE/4.4.2; x86_64; ; ) References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> <1270578256.32172.6.camel@necropolis> <8622C222D2FC9D499533B1EEF631D3930332DB4A6F@IMCMBX1.MITRE.ORG> In-Reply-To: <8622C222D2FC9D499533B1EEF631D3930332DB4A6F@IMCMBX1.MITRE.ORG> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201004062241.18305.alan.mckinnon@gmail.com> X-Archives-Salt: f4c10cb9-caa9-4f69-a8bd-0be41ca06c57 X-Archives-Hash: 6cdec4b8f3e3520cf2207fb577f50632 On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: > Thanks. >=20 > Do you know if someone makes a change to a copy of apache hosted on a > public mirror, will the sync between the servers determine that it's > corrupted (via 'bad' checksum) on the public side and replace it? I can answer this, I run a public Gentoo mirror (not an official one) If I, or some clown, loads a trojaned copy of Apache source code into my distfiles mirror, portage will complain bitterly because the hash in the= =20 manifest will fail. Then you will know something is wrong. If I trojan the ebuild and the portage tree to match my trojaned sources, y= ou=20 will probably not pick it up. This would be very risky indeed for me to do = as=20 I can't be sure you will sync the tree and get your distfiles from me. You can check if my portage tree is up to date and how often I sync it by=20 comparing timestamps between me and upstream master at gentoo.org. In my ca= se,=20 any trojans I host will get overwritten by gentoo.org masters every 12 hour= s.=20 Except if I have a sneaky --exclude in my rsync command, or my cron syncs a= nd=20 then puts the trojan back. It's not quite as simple as that, but the above will suffice what someone=20 already said: You cannot completely 100% trust a public mirror, or even=20 gentoo.org for that matter. I know I don't pull sneaky stunts with my mirro= r=20 but I can't prove that to you. I trust upstream to always do the right thin= g=20 and I hope you feel you can trust me likewise. But if you don't, I have no= =20 choice but to accept your wishes and leave you to run whatever checksum=20 comparisons you feel are appropriate for your needs. >=20 > -john >=20 > -----Original Message----- > From: Albert W. Hopkins [mailto:marduk@letterboxes.org] > Sent: Tuesday, April 06, 2010 2:24 PM > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Portage + checksums >=20 > On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: > > How can I verify that the installed packages on a Gentoo system came > > from the same source that was on a main rotation mirror and/or > > =E2=80=9Cblessed=E2=80=9D by the Gentoo development team? > >=20 > >=20 > >=20 > > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am > > I only confirming that the source was the same as that which was > > downloaded from the mirror? > >=20 > >=20 > >=20 > > I guess what I=E2=80=99m getting at is how can I be sure I can trust a > > mirror? > >=20 > >=20 > >=20 > > Thank you very much in advance for any insight provided, >=20 > It really depends on your level of paranoia. Ultimately it can't be > trusted at all. >=20 > If you really want to be sure then just the source/manifest from your > "trusted" mirror and compare. =2D-=20 alan dot mckinnon at gmail dot com