[gentoo-user] Portage + checksums

[gentoo-user] Portage + checksums

[Butterworth, John W.]

[-- Attachment #1.1: Type: text/plain, Size: 493 bytes --]

How can I verify that the installed packages on a Gentoo system came from
the same source that was on a main rotation mirror and/or "blessed" by the
Gentoo development team?  

 

By verifying the checksum located in  /var/db/pkg/$APPNAME/CONTENTS am I
only confirming that the source was the same as that which was downloaded
from the mirror? 

 

I guess what I'm getting at is how can I be sure I can trust a mirror?  

 

Thank you very much in advance for any insight provided,

-john  


[-- Attachment #1.2: Type: text/html, Size: 2336 bytes --]

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3522 bytes --]

Re: [gentoo-user] Portage + checksums

[Albert W. Hopkins]

On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> How can I verify that the installed packages on a Gentoo system came
> from the same source that was on a main rotation mirror and/or
> “blessed” by the Gentoo development team?  
> 
>  
> 
> By verifying the checksum located in  /var/db/pkg/$APPNAME/CONTENTS am
> I only confirming that the source was the same as that which was
> downloaded from the mirror? 
> 
>  
> 
> I guess what I’m getting at is how can I be sure I can trust a
> mirror?  
> 
>  
> 
> Thank you very much in advance for any insight provided,

It really depends on your level of paranoia.  Ultimately it can't be
trusted at all.

If you really want to be sure then just the source/manifest from your
"trusted" mirror and compare.

RE: [gentoo-user] Portage + checksums

[Butterworth, John W.]

[-- Attachment #1: Type: text/plain, Size: 1252 bytes --]

Thanks.   

Do you know if someone makes a change to a copy of apache hosted on a public mirror, will the sync between the servers determine that it's corrupted (via 'bad' checksum) on the public side and replace it?  

-john

-----Original Message-----
From: Albert W. Hopkins [mailto:marduk@letterboxes.org] 
Sent: Tuesday, April 06, 2010 2:24 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Portage + checksums

On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> How can I verify that the installed packages on a Gentoo system came
> from the same source that was on a main rotation mirror and/or
> “blessed” by the Gentoo development team?  
> 
>  
> 
> By verifying the checksum located in  /var/db/pkg/$APPNAME/CONTENTS am
> I only confirming that the source was the same as that which was
> downloaded from the mirror? 
> 
>  
> 
> I guess what I’m getting at is how can I be sure I can trust a
> mirror?  
> 
>  
> 
> Thank you very much in advance for any insight provided,

It really depends on your level of paranoia.  Ultimately it can't be
trusted at all.

If you really want to be sure then just the source/manifest from your
"trusted" mirror and compare.






[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3522 bytes --]

Re: [gentoo-user] Portage + checksums

[Jonas de Buhr]

Hi!

>Do you know if someone makes a change to a copy of apache hosted on a
>public mirror, will the sync between the servers determine that it's
>corrupted (via 'bad' checksum) on the public side and replace it?  

I'm not sure how gentoo mirrors do the syncing but in a lot of cases an
error like this would show up on the downloading (client-/mirror-) side
which wont help you at all if you don't trust the mirror.

The way I undestand this a problem is that any mirror may simply
regenerate hash values like RMD160 or SHA1 for modified sourcefiles. If
you don't compare them to those from a trusted server you will never
know.

So a general aproach to this may be that some gentoo core team would
sign everything with one (or a set of) private key(s) of some kind and
publish the corresponding public key(s) on their website and with the
install images. The signature could easily be copied to mirrors but not
regenerated for changed sourcefiles. 

However that would be a lot more work for the gentoo developers since
*few* (else it's pointless) trusted people with access to the private
key would have to approve every single update for every arch and
compare every source tarball to a trusted one.

Maybe you could run your own mirror and sync it to a trusted one?

Bye,
jdb

Re: [gentoo-user] Portage + checksums

[Alan McKinnon]

On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote:
> Thanks.
> 
> Do you know if someone makes a change to a copy of apache hosted on a
> public mirror, will the sync between the servers determine that it's
> corrupted (via 'bad' checksum) on the public side and replace it?

I can answer this, I run a public Gentoo mirror (not an official one)

If I, or some clown, loads a trojaned copy of Apache source code into
my distfiles mirror, portage will complain bitterly because the hash in the 
manifest will fail. Then you will know something is wrong.

If I trojan the ebuild and the portage tree to match my trojaned sources, you 
will probably not pick it up. This would be very risky indeed for me to do as 
I can't be sure you will sync the tree and get your distfiles from me.

You can check if my portage tree is up to date and how often I sync it by 
comparing timestamps between me and upstream master at gentoo.org. In my case, 
any trojans I host will get overwritten by gentoo.org masters every 12 hours. 
Except if I have a sneaky --exclude in my rsync command, or my cron syncs and 
then puts the trojan back.

It's not quite as simple as that, but the above will suffice what someone 
already said: You cannot completely 100% trust a public mirror, or even 
gentoo.org for that matter. I know I don't pull sneaky stunts with my mirror 
but I can't prove that to you. I trust upstream to always do the right thing 
and I hope you feel you can trust me likewise. But if you don't, I have no 
choice but to accept your wishes and leave you to run whatever checksum 
comparisons you feel are appropriate for your needs.



> 
> -john
> 
> -----Original Message-----
> From: Albert W. Hopkins [mailto:marduk@letterboxes.org]
> Sent: Tuesday, April 06, 2010 2:24 PM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] Portage + checksums
> 
> On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> > How can I verify that the installed packages on a Gentoo system came
> > from the same source that was on a main rotation mirror and/or
> > “blessed” by the Gentoo development team?
> > 
> > 
> > 
> > By verifying the checksum located in  /var/db/pkg/$APPNAME/CONTENTS am
> > I only confirming that the source was the same as that which was
> > downloaded from the mirror?
> > 
> > 
> > 
> > I guess what I’m getting at is how can I be sure I can trust a
> > mirror?
> > 
> > 
> > 
> > Thank you very much in advance for any insight provided,
> 
> It really depends on your level of paranoia.  Ultimately it can't be
> trusted at all.
> 
> If you really want to be sure then just the source/manifest from your
> "trusted" mirror and compare.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Portage + checksums

[Paul Hartman]

On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote:
>> Thanks.
>>
>> Do you know if someone makes a change to a copy of apache hosted on a
>> public mirror, will the sync between the servers determine that it's
>> corrupted (via 'bad' checksum) on the public side and replace it?
>
> I can answer this, I run a public Gentoo mirror (not an official one)
>
> If I, or some clown, loads a trojaned copy of Apache source code into
> my distfiles mirror, portage will complain bitterly because the hash in the
> manifest will fail. Then you will know something is wrong.
>
> If I trojan the ebuild and the portage tree to match my trojaned sources, you
> will probably not pick it up. This would be very risky indeed for me to do as
> I can't be sure you will sync the tree and get your distfiles from me.

Isn't there something like FEATURES="gpg" to enable checking gpg
signatures on ebuilds? (I haven't tried it so I don't know if this is
actually used)

Re: [gentoo-user] Portage + checksums

[Alan McKinnon]

On Tuesday 06 April 2010 23:13:47 Paul Hartman wrote:
> On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckinnon@gmail.com> 
wrote:
> > On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote:
> >> Thanks.
> >> 
> >> Do you know if someone makes a change to a copy of apache hosted on a
> >> public mirror, will the sync between the servers determine that it's
> >> corrupted (via 'bad' checksum) on the public side and replace it?
> > 
> > I can answer this, I run a public Gentoo mirror (not an official one)
> > 
> > If I, or some clown, loads a trojaned copy of Apache source code into
> > my distfiles mirror, portage will complain bitterly because the hash in
> > the manifest will fail. Then you will know something is wrong.
> > 
> > If I trojan the ebuild and the portage tree to match my trojaned sources,
> > you will probably not pick it up. This would be very risky indeed for me
> > to do as I can't be sure you will sync the tree and get your distfiles
> > from me.
> 
> Isn't there something like FEATURES="gpg" to enable checking gpg
> signatures on ebuilds? (I haven't tried it so I don't know if this is
> actually used)

FEATURES=sign    

"man 5 make.conf" implies that the dev signs the Manifest by checking 
something into the tree using repoman. Presumably, the user either has to 
fetch the public key or portage includes it in the tree. But documentation in 
the man pages is sparse, I can't find an explanation of how it should work.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Portage + checksums

[Mark Knecht]

On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
<SNIP>
>
> FEATURES=sign
>
> "man 5 make.conf" implies that the dev signs the Manifest by checking
> something into the tree using repoman. Presumably, the user either has to
> fetch the public key or portage includes it in the tree. But documentation in
> the man pages is sparse, I can't find an explanation of how it should work.
>
>
> --
> alan dot mckinnon at gmail dot com
>
>

Do you use it?

- Mark

Re: [gentoo-user] Portage + checksums

[Alan McKinnon]

On Tuesday 06 April 2010 23:46:48 Mark Knecht wrote:
> On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon <alan.mckinnon@gmail.com>
> wrote: <SNIP>
> 
> > FEATURES=sign
> > 
> > "man 5 make.conf" implies that the dev signs the Manifest by checking
> > something into the tree using repoman. Presumably, the user either has to
> > fetch the public key or portage includes it in the tree. But
> > documentation in the man pages is sparse, I can't find an explanation of
> > how it should work.
> > 
> > 
> > --
> > alan dot mckinnon at gmail dot com
> 
> Do you use it?


Without logging into the mirror host and checking, I really couldn't say. I 
mirror what I get from gentoo.org with no alterations.

I don't use the feature locally on any of my own boxes.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Portage + checksums

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1740 bytes --]

On Tuesday 06 April 2010 23:16:13 Alan McKinnon wrote:
> On Tuesday 06 April 2010 23:46:48 Mark Knecht wrote:
> > On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon <alan.mckinnon@gmail.com>
> > wrote: <SNIP>
> >
> > > FEATURES=sign
> > >
> > > "man 5 make.conf" implies that the dev signs the Manifest by checking
> > > something into the tree using repoman. Presumably, the user either has
> > > to fetch the public key or portage includes it in the tree. But
> > > documentation in the man pages is sparse, I can't find an explanation
> > > of how it should work.
> > >
> > >
> > > --
> > > alan dot mckinnon at gmail dot com
> >
> > Do you use it?
> 
> Without logging into the mirror host and checking, I really couldn't say. I
> mirror what I get from gentoo.org with no alterations.
> 
> I don't use the feature locally on any of my own boxes.

This was an argument against Gentoo more than six or seven years ago with 
regards to the security of whole portage system.  A number of suggestions were 
made in those early days, one of them being to sync with two mirrors and diff 
the ebuilds/Manifests/Distfiles affected by these two most recent syncs.  As 
far as I know people didn't go for this because it was perceived that the 
system as implemented was secure enough and anyway the proposed solution would 
put too much pressure on the mirrors.

BTW, there was some compromise of a mirror in those early days and a lot (well 
may be a few back then) people had to reinstall because their boxen were 
compromised, or thought that they might have been!

If you google you may find something lurking around from the long arguments 
that took place and what the D.Robbins said.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Portage + checksums

[Jonas de Buhr]

>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.  

Every package management system which uses hashes to verify integrity
has the same problems.

I think a lot of source tarballs are downloaded from the official sites
anyway. Someone really paranoid might manually check the patches.

>A number of
>suggestions were made in those early days, one of them being to sync
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by
>these two most recent syncs.  As far as I know people didn't go for
>this because it was perceived that the system as implemented was
>secure enough and anyway the proposed solution would put too much
>pressure on the mirrors.

I do not have the intention to restart the discussion you mentioned.
But getting hashes and tarballs from the same source (mirror) doesn't go
far for security. At the moment I just trust the official mirrors and
trust that the community would realize soon if there were trojaned
packages the same way I trust apache or the kernel devs not to do
anything funny.

But I still like the idea of files signed with asynchr. crypt. I sure
will have a look into "FEATURES=sign".

/jdb

RE: [gentoo-user] Portage + checksums

[Butterworth, John W.]

[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]

So to avoid "spamming" with 20+ Thank You emails I'll send out just one and
thank you all collectively for the information provided (I hope this isn't
rude - I'm not sure of proper protocol in this situation).  

I have a lot more insight now and some new ideas of where I need to look to
learn more.  This is a great community and it reflects in the OS - I don't
know why I waited so long to try Gentoo.(??)!
-john

-----Original Message-----
From: Jonas de Buhr [mailto:jonas.de.buhr@gmx.net] 
Sent: Wednesday, April 07, 2010 8:35 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Portage + checksums


>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.  

Every package management system which uses hashes to verify integrity
has the same problems.

I think a lot of source tarballs are downloaded from the official sites
anyway. Someone really paranoid might manually check the patches.

>A number of
>suggestions were made in those early days, one of them being to sync
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by
>these two most recent syncs.  As far as I know people didn't go for
>this because it was perceived that the system as implemented was
>secure enough and anyway the proposed solution would put too much
>pressure on the mirrors.

I do not have the intention to restart the discussion you mentioned.
But getting hashes and tarballs from the same source (mirror) doesn't go
far for security. At the moment I just trust the official mirrors and
trust that the community would realize soon if there were trojaned
packages the same way I trust apache or the kernel devs not to do
anything funny.

But I still like the idea of files signed with asynchr. crypt. I sure
will have a look into "FEATURES=sign".

/jdb


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3522 bytes --]

Re: [gentoo-user] Portage + checksums

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 876 bytes --]

On Wednesday 07 April 2010 16:06:03 Butterworth, John W. wrote:
> So to avoid "spamming" with 20+ Thank You emails I'll send out just one and
> thank you all collectively for the information provided (I hope this isn't
> rude - I'm not sure of proper protocol in this situation).
> 
> I have a lot more insight now and some new ideas of where I need to look to
> learn more.  This is a great community and it reflects in the OS - I don't
> know why I waited so long to try Gentoo.(??)!

I was wrong, this was kicking around before 2004!  Feast your eyes on this and 
the steps taken by devs to achieve a workable security process:

http://www.gentoo.org/proj/en/glep/glep-0057.html

This is a brief summary of the compromise that took place in 2003:

http://www.compatdb.org/forums/topic/882-rsyncgentooorg-rotation-server-
compromised/
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]