Peter Simons wrote:
> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
> the Gentoo main system.
>
> (2) Sign the output with GPG.
>
> (3) Put it into the portage tree.
>
> (4) If the user has GPG installed and has manually put the
> appropriate public key in some place _outside_ of the
> portage tree, have "emerge sync" verify that the
> signature is intact and all hashes hold.
>
> (5) Missing files in the tree are okay (rsync_excludes),
> files in the tree which do not have a hash are not okay.
This is a good start, but I have some thoughts.
Let's see the attack tree against Gentoo portage. The attacker wants to
inject malicious code into the tree, he has several choices now:
1) Attack the end user's machine
2) Attack the connection between the end user and the Portage mirror
3) Attack the mirror machine
4) Attack the connection between the main site and the mirror
5) Attack the main site
6) Attack the connection between the developer and the main site
7) Attack the developer's machine
Your algorithm eliminates the risc in leafs from 2 to 4.
How about this: the developers have to sign the files they upload, but
do this before they upload them,? This would eliminate leafs 5 and 6, too.
/Ervin
--
gentoo-security@gentoo.org mailing list
> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
> the Gentoo main system.
>
> (2) Sign the output with GPG.
>
> (3) Put it into the portage tree.
>
> (4) If the user has GPG installed and has manually put the
> appropriate public key in some place _outside_ of the
> portage tree, have "emerge sync" verify that the
> signature is intact and all hashes hold.
>
> (5) Missing files in the tree are okay (rsync_excludes),
> files in the tree which do not have a hash are not okay.
This is a good start, but I have some thoughts.
Let's see the attack tree against Gentoo portage. The attacker wants to
inject malicious code into the tree, he has several choices now:
1) Attack the end user's machine
2) Attack the connection between the end user and the Portage mirror
3) Attack the mirror machine
4) Attack the connection between the main site and the mirror
5) Attack the main site
6) Attack the connection between the developer and the main site
7) Attack the developer's machine
Your algorithm eliminates the risc in leafs from 2 to 4.
How about this: the developers have to sign the files they upload, but
do this before they upload them,? This would eliminate leafs 5 and 6, too.
/Ervin
--
gentoo-security@gentoo.org mailing list