From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzWpr-0005Rj-Iz for garchives@archives.gentoo.org; Wed, 07 Apr 2010 15:06:31 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 544C7E07E3; Wed, 7 Apr 2010 15:06:05 +0000 (UTC) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by pigeon.gentoo.org (Postfix) with ESMTP id 2DC47E07E3 for ; Wed, 7 Apr 2010 15:06:05 +0000 (UTC) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o37F64mM023731 for ; Wed, 7 Apr 2010 11:06:04 -0400 Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o37F64Vq023719 for ; Wed, 7 Apr 2010 11:06:04 -0400 Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Wed, 7 Apr 2010 11:06:04 -0400 From: "Butterworth, John W." To: "gentoo-user@lists.gentoo.org" Date: Wed, 7 Apr 2010 11:06:03 -0400 Subject: RE: [gentoo-user] Portage + checksums Thread-Topic: [gentoo-user] Portage + checksums Thread-Index: AcrWT3HY9uvhNIu7QJOtfcbGHM+/vwAEdePA Message-ID: <8622C222D2FC9D499533B1EEF631D39303331FA8F9@IMCMBX1.MITRE.ORG> References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> <201004070016.13793.alan.mckinnon@gmail.com> <201004070658.55487.michaelkintzios@gmail.com> <20100407143507.3dca719a@toxic.dbnet> In-Reply-To: <20100407143507.3dca719a@toxic.dbnet> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0214_01CAD642.5064F660" Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Archives-Salt: 40ce0e22-42ba-4dd9-9c35-7eba210fdf9e X-Archives-Hash: 260231851618d5f78aa2ef2855cb029b ------=_NextPart_000_0214_01CAD642.5064F660 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit So to avoid "spamming" with 20+ Thank You emails I'll send out just one and thank you all collectively for the information provided (I hope this isn't rude - I'm not sure of proper protocol in this situation). I have a lot more insight now and some new ideas of where I need to look to learn more. This is a great community and it reflects in the OS - I don't know why I waited so long to try Gentoo.(??)! -john -----Original Message----- From: Jonas de Buhr [mailto:jonas.de.buhr@gmx.net] Sent: Wednesday, April 07, 2010 8:35 AM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums >This was an argument against Gentoo more than six or seven years ago >with regards to the security of whole portage system. Every package management system which uses hashes to verify integrity has the same problems. I think a lot of source tarballs are downloaded from the official sites anyway. Someone really paranoid might manually check the patches. >A number of >suggestions were made in those early days, one of them being to sync >with two mirrors and diff the ebuilds/Manifests/Distfiles affected by >these two most recent syncs. As far as I know people didn't go for >this because it was perceived that the system as implemented was >secure enough and anyway the proposed solution would put too much >pressure on the mirrors. I do not have the intention to restart the discussion you mentioned. But getting hashes and tarballs from the same source (mirror) doesn't go far for security. At the moment I just trust the official mirrors and trust that the community would realize soon if there were trojaned packages the same way I trust apache or the kernel devs not to do anything funny. But I still like the idea of files signed with asynchr. crypt. I sure will have a look into "FEATURES=sign". /jdb ------=_NextPart_000_0214_01CAD642.5064F660 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKxzCCA2Qw ggJMoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWjESMBAGA1UEChMJbWl0cmUub3JnMR4wHAYDVQQL ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgNVBAMTG01JVFJFIENvcnBvcmF0aW9uIFJvb3Qg Q0EtMTAeFw0wNjA2MDEwNDAwMDBaFw0xODA2MDEwNDAwMDBaMFoxEjAQBgNVBAoTCW1pdHJlLm9y ZzEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSQwIgYDVQQDExtNSVRSRSBDb3Jwb3Jh dGlvbiBSb290IENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCva1qWPZiEJv5v MtCbjt0cTu0Nbn15Q1cKqQBXKi8VSH9zZPmPxfWizJJ7JSqFJ5/sLUz3NsnUVjpLYBdFcxNXnOLj XtmDPFOewm5T98NZc9wRRCiDzt4f8qsHFI19ShPiK3cN5UqtJf+i66QVLA1S6CNL6o2eGAsAl5Wn xwOh2BfcWU5fNlHDVc9KKAlDDWpHjC2LLHAUbLP4ZzMIJKcLgLKFMtgM2AEfaSHzmi7WUdUHRCtC blrF7qzPsy/jBLFrr8VcX+mb7saq95pEOilgcix0/naW7kJfM5ph7UBB+S1O/OhH+ZjQ4MjWnwE8 A/YDrQx1OVLAOi29Bsho/l8lAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYE FMdwUQDYTf7kAdRolsU9n5qX/nQvMA0GCSqGSIb3DQEBBQUAA4IBAQAa+fVfCljimBlcfWwkfJXu XNKWun9xloFKjnq6SPGgAIKi5LUDil60a0NaNGoGSO3I1xzYt7ncayh21qXulcVTDFqubSJdv51a HTuJYcYUX72LN/gSq03UVLBCJzYm7ZLUlkb2YLo7xUeZ3coLFcT5AHR36kjG4cYHqXgH0liBl8jx pN0gwgaci4sgPLUj1w4t8zoKH+zxGFwXwTP/P+etQqiJZ5T00fLLm5kz9mmnxxmmIvUGNdsCAhGh dnF24pcrR43LNgyOBJ9DPUHBNq3kUQRO48WBKxBxflOtKzsICx/HEtIABcZn7deADHcY9spULZfB nQYdEpyz5tgh7Y2qMIIDczCCAlugAwIBAgICNqswDQYJKoZIhvcNAQEFBQAwXTESMBAGA1UEChMJ bWl0cmUub3JnMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJzAlBgNVBAMTHk1JVFJF IENvcnBvcmF0aW9uIFByaW1hcnkgQ0EtMTAeFw0wOTEyMzExMzAwMTBaFw0xMTA2MjQxMzAwMTBa MGExEjAQBgNVBAoTCW1pdHJlLm9yZzEPMA0GA1UECxMGcGVvcGxlMRwwGgYKCZImiZPyLGQBARMM amJ1dHRlcndvcnRoMRwwGgYDVQQDExNCdXR0ZXJ3b3J0aCBKb2huIFcuMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDRAyWz2mixPG4X7ZTgzALAg1vsVs1UicnK+eiKbgnguap1apDTLEoLPk3A BO14Sn8RFW5Jtbv1q1SCqOT8bmRkCLZFcYmqMzso6KTahUgiVZpaScRVudLzPCVinVAPM/fmYmpq NWMh5f/7ZzsHRX6pgJz6XltOBb/7OfdMRxJpzQIDAQABo4G8MIG5MA4GA1UdDwEB/wQEAwIF4DAd BgNVHQ4EFgQUzBO0xWTB+4zikGqtaFvzVj18yxcwHwYDVR0jBBgwFoAUh7QPSI1iM0LBLVEaSB7C nrsKsa0wRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL3d3dy5taXRyZS5vcmcvdGVjaC9taWkvcGtp L2NhMV9taXRyZV9vcmcuY3JsMCEGA1UdEQQaMBiBFmpidXR0ZXJ3b3J0aEBtaXRyZS5vcmcwDQYJ KoZIhvcNAQEFBQADggEBAFtOKmRxkXlO306Eblhwb7ITPu/uNt61JzfZAWmmj6PBwZGIO/PRRkyg 2ZfY3BXZGKNvo8opmpfdbYMVZqtHs9mNmK4KRzrxx3RMVXFH1i65jbHOc8nsz+ABtB2A+lRhqvlU n0k9hsFKzEAZDW6sM1ENzHjifdoupvEj0TnSP5jNJWL2HR9bui3pkKTDA1s+S4zKigJJG/956Fai TwQ1mlXz0QccP0P49RUA0+OTgcyPGJQSp2iwry8IJ1Xc/bpbjFSclUUvqogynE3xYDD8H9cXlI0N OP0cbOduWUQGwUQAhuZWo0cRvZIF6YWUySl69ETcSqJaFrpGy6ve4eJm5zUwggPkMIICzKADAgEC AgEFMA0GCSqGSIb3DQEBBQUAMFoxEjAQBgNVBAoTCW1pdHJlLm9yZzEeMBwGA1UECxMVQ2VydGlm aWNhdGUgQXV0aG9yaXR5MSQwIgYDVQQDExtNSVRSRSBDb3Jwb3JhdGlvbiBSb290IENBLTEwHhcN MDYwNjAzMTcxMzIyWhcNMTIwNjAzMTcxMzIyWjBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAcBgNV BAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24gUHJp bWFyeSBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyPB7Vl0QgqgQt0u8Q2du Rs7eZUPnhlflKPFPMXGG+iqGpImYs6nfbFPsn0q8FqklFsm/UEV2JJQ3c7Srwfrqe9CrCbVFh761 OxZI7fnUWiUasNP2ING19aAfrQ8IoJsAEtGzHeIacS+M5CN4C0yfUC6CpBZTc9ZldjLUatvJr407 K1i+7WnrRsMVKhICfgmiO/XiVR9YeXyzeRqFrLy6YtJCJuJd0QRfwKtKRpek5oU67Izr7ClHDtPJ s7UOTjMYBS2fTzztC+wwOTp6+A3ZbEymuQcAZRwmGkjVBe2R8MiX26R02Iigz+903ZAL/6bpvx0D nkrlR2UFr1KBGfBqmQIDAQABo4GxMIGuMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQD AgGGMB0GA1UdDgQWBBSHtA9IjWIzQsEtURpIHsKeuwqxrTAfBgNVHSMEGDAWgBTHcFEA2E3+5AHU aJbFPZ+al/50LzBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vd3d3Lm1pdHJlLm9yZy90ZWNoL21p aS9wa2kvcm9vdGNhMV9taXRyZV9vcmcuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBNbm7rrins3SIC PbteX9qSN1+RJClqix/pw3IAe7u60LK0V9jVZ9E2a+c0MZiSojdcwU5rXxI2OI2wwIf6wVBo76jI Oc+IiQRlC+V8YatGmoibqP/8WDPzlud/WQAzkjrU2nuh8KdyJG+n1kH/6772Lbra2CIk8mu8Fype aB5P2uIJzdE+PGo82ZiyU680ukiJ9yF6UmEXuciB77tGQBRxMl6ePzIrArQnf48SmBhFD5XYLrau eOiG7E+AzD99ig1M6WHcxWXtp3DIrVqE/DZr146NJaCWqg9NoE14cmpEllnpWLtLnn5UBYJ+QCoz mbe1SJXOOynZ0VxMnGdh7NqgMYICvTCCArkCAQEwYzBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAc BgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24g UHJpbWFyeSBDQS0xAgI2qzAJBgUrDgMCGgUAoIIBsDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB MBwGCSqGSIb3DQEJBTEPFw0xMDA0MDcxNTA2MDNaMCMGCSqGSIb3DQEJBDEWBBSwkohAr36ELcLc 2ffI+8eWFVU/QTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0C BTByBgkrBgEEAYI3EAQxZTBjMF0xEjAQBgNVBAoTCW1pdHJlLm9yZzEeMBwGA1UECxMVQ2VydGlm aWNhdGUgQXV0aG9yaXR5MScwJQYDVQQDEx5NSVRSRSBDb3Jwb3JhdGlvbiBQcmltYXJ5IENBLTEC AjarMHQGCyqGSIb3DQEJEAILMWWgYzBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAcBgNVBAsTFUNl cnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24gUHJpbWFyeSBD QS0xAgI2qzANBgkqhkiG9w0BAQEFAASBgFDUKylNwCDlT9fRH7aqdPvGStw5Wvv37uiHH9f4k+7A rwEDA7UbkLkPJi0j3lmZ8zeSeHXE+HpdnJMF26IjxRvGEa9St3C8IS+cFeStXOTh+wELY7gY1gIx sGhWzwbBWIOtJ30SMiNAIRgkBmArOljpx3Zq+JsKwMAUVYrKH6UBAAAAAAAA ------=_NextPart_000_0214_01CAD642.5064F660--