On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <
jbutterworth@mitre.org> wrote:
> Thank you Shimi.
>
> I also came across a couple threads in my research:
>
>
> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/
> and
>
> http://thread.gmane.org/gmane.linux.gentoo.devel/38363
>
>
>
> These (from back in 2006/2008) discuss potential changes to make the
> Gentoo software distribution system more secure. Does Portage verify
> various different hash signatures on the source files as a result of these
> recommendations or is this something Portage has always done? Does anyone
> know if anything (else) ever came of these proposals?
>
>
>
This is with regards to signing; Signing also promises you that the file at
Gnetoo's main distribution is intact, otherwise the signing won't be valid.
Verifying files integrity by hashes is unrelated; Of course, when you do
sign your releases, you have to sign all the relevant stuff, including the
hashes of the files, so everyone can verify that *nothing* was tempered. But
I was merely talking about verifying that the downloaded file matches what
the developer who added the package had on his computer (assuming, again,
that you're syncing from a reliable source, and that this reliable source
who is syncing from gentoo's main tree, is syncing from a non compromised
tree, AND that no one MITM'd it - which is difficult to achieve when rsync
traffic is not SSL with verifiable certs AND the packages themselves not
signed with PGP etc...)
Anyways, the existence of hashes for the files, if memory serves me right,
has been there before I started using Gentoo, which dates back to the end of
2003... the hash algorithms has changed over time, but that's no biggie -
you can look at the Manifest file I gave as example - you just have the hash
there along with the algorithm that needs to verify it (and there's more
than one...)
Sorry but I don't know about the status of actual Signing in Gentoo which is
probably handled by the security people... I am merely an old user :)
HTH,
-- Shimi