From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzUWZ-0007zb-F9 for garchives@archives.gentoo.org; Wed, 07 Apr 2010 12:38:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AADACE0AA4; Wed, 7 Apr 2010 12:37:28 +0000 (UTC) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by pigeon.gentoo.org (Postfix) with SMTP id 2D7A9E0AA4 for ; Wed, 7 Apr 2010 12:37:27 +0000 (UTC) Received: (qmail invoked by alias); 07 Apr 2010 12:37:26 -0000 Received: from e181238069.adsl.alicedsl.de (EHLO toxic.dbnet) [85.181.238.69] by mail.gmx.net (mp067) with SMTP; 07 Apr 2010 14:37:26 +0200 X-Authenticated: #351132 X-Provags-ID: V01U2FsdGVkX18ofG8tnZoobDlHUDG7tyHyREVHeyxeqXXPGNNfiq f61jt2lVqsjFf/ Date: Wed, 7 Apr 2010 14:35:07 +0200 From: Jonas de Buhr To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums Message-ID: <20100407143507.3dca719a@toxic.dbnet> In-Reply-To: <201004070658.55487.michaelkintzios@gmail.com> References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> <201004070016.13793.alan.mckinnon@gmail.com> <201004070658.55487.michaelkintzios@gmail.com> X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.70999999999999996 X-Archives-Salt: cbfe96d2-068b-4da2-bb44-a5a5f90e1d65 X-Archives-Hash: fb8700bb906e8e08b67218de6e2e1b8d >This was an argument against Gentoo more than six or seven years ago >with regards to the security of whole portage system. Every package management system which uses hashes to verify integrity has the same problems. I think a lot of source tarballs are downloaded from the official sites anyway. Someone really paranoid might manually check the patches. >A number of >suggestions were made in those early days, one of them being to sync >with two mirrors and diff the ebuilds/Manifests/Distfiles affected by >these two most recent syncs. As far as I know people didn't go for >this because it was perceived that the system as implemented was >secure enough and anyway the proposed solution would put too much >pressure on the mirrors. I do not have the intention to restart the discussion you mentioned. But getting hashes and tarballs from the same source (mirror) doesn't go far for security. At the moment I just trust the official mirrors and trust that the community would realize soon if there were trojaned packages the same way I trust apache or the kernel devs not to do anything funny. But I still like the idea of files signed with asynchr. crypt. I sure will have a look into "FEATURES=sign". /jdb