View previous topic :: View next topic |
Author |
Message |
TheNotSoGreat n00b
Joined: 30 Aug 2011 Posts: 15
|
Posted: Tue Aug 30, 2011 4:30 am Post subject: Noob Portage question |
|
|
Hello, I am new to gentoo and just have a small question so please bear with me.
Are packages from Portage signed? I am not asking if the functionality is there, but whether all packages in the repo are signed and their signatures checked for verification. I have refrained from using Arch because Arch does not have package signing making it horribly insecure. |
|
Back to top |
|
|
bjlockie Veteran
Joined: 18 Oct 2002 Posts: 1186 Location: Canada
|
Posted: Tue Aug 30, 2011 5:01 am Post subject: Re: Noob Portage question |
|
|
TheNotSoGreat wrote: | Hello, I am new to gentoo and just have a small question so please bear with me.
Are packages from Portage signed? I am not asking if the functionality is there, but whether all packages in the repo are signed and their signatures checked for verification. I have refrained from using Arch because Arch does not have package signing making it horribly insecure. |
Yes, I think it uses md5.
See _________________ AMD FX6100 CPU, 16 GiB RAM, OCZ Vertex 3 SSD
ASRock 970 Extreme3 motherboard with S/PDIF audio
Galaxy-NVidia GeForce 8800GT video card, Cyber Power CP550HG USB UPS |
|
Back to top |
|
|
jdhore Retired Dev
Joined: 13 Apr 2007 Posts: 106
|
Posted: Tue Aug 30, 2011 7:23 am Post subject: Re: Noob Portage question |
|
|
bjlockie wrote: | TheNotSoGreat wrote: | Hello, I am new to gentoo and just have a small question so please bear with me.
Are packages from Portage signed? I am not asking if the functionality is there, but whether all packages in the repo are signed and their signatures checked for verification. I have refrained from using Arch because Arch does not have package signing making it horribly insecure. |
Yes, I think it uses md5.
See |
Close. It uses RIPEMD160, SHA-1, size *AND* SHA-256. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9532 Location: beyond the rim
|
Posted: Tue Aug 30, 2011 7:45 am Post subject: |
|
|
There is some signature infrastructure, but last I know signatures aren't validated yet. But that information could very well be outdated.
(I assume you refer to actual signatures, not just file hashes which are in place as noted above). |
|
Back to top |
|
|
TheNotSoGreat n00b
Joined: 30 Aug 2011 Posts: 15
|
Posted: Tue Aug 30, 2011 2:16 pm Post subject: |
|
|
Quote: | There is some signature infrastructure, but last I know signatures aren't validated yet. But that information could very well be outdated.
(I assume you refer to actual signatures, not just file hashes which are in place as noted above). |
Yes actual signatures.
But would the file hash checks provide the same security as other distributions. In Arch, because of a lack of signatures a mirror can be compromised and packages tampered with, and no one would notice, at least until user download the malicious package. Do hash checks prevent this from happening and would immediately find any tampered packages?
If this question sounds stupid it probably is, I am no expert Linux user. |
|
Back to top |
|
|
marens Apprentice
Joined: 05 Aug 2004 Posts: 173
|
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9532 Location: beyond the rim
|
Posted: Tue Aug 30, 2011 7:42 pm Post subject: |
|
|
TheNotSoGreat wrote: | Do hash checks prevent this from happening and would immediately find any tampered packages? |
Well, the story is a bit too complicated for a simple yes or no answer.
In Gentoo you have to consider two different attack vectors on packages (actually more, but lets keep things simple) as in Gentoo land (source) packages actually consist of multiple files located on different infrastructures. This is different to e.g. the RPM world where a (source or binary) package is contained in a single (S)RPM file, which can obviously not be split across different infrastructures.
The two infrastructures for Gentoo are the so called distfiles mirrors, and the rsync mirrors. The first contain the source tarballs for nearly all packages, while the rsync servers contain the ebuilds and other support files necessary to build every package. Among those support files are the Manifests that contain the various hashes, including those for the source tarballs on the distfiles mirrors.
What this means is that if a distfiles mirror is compromised and one or more source tarballs are altered, the package manager would detect that when comparing the hash values of the downloaded files with the value from the Manifest and alert the user. If a rsync mirror is compromised and ebuilds or patches are altered the package manager could also detect it. But if you can modify ebuilds you can almost certainly also "fix" the Manifest file with the hash value, as they are on the same infrastructure. And without signatures there is no protection against that. That is one reason why the main rsync mirrors (those in the rsync.gentoo.org rotation) are all under direct control of the Gentoo infrastructure team.
Hope that answers your question (there are other issues I didn't mention, read the signing gleps linked above if you're really interested). |
|
Back to top |
|
|
TheNotSoGreat n00b
Joined: 30 Aug 2011 Posts: 15
|
Posted: Tue Aug 30, 2011 9:19 pm Post subject: |
|
|
So this means the bottom line is that Gentoo is not as secure as something with package signing.
*sigh*
Guess I will wait until Arch's package manager pacman's 4.0 release goes stable and Arch gets package signing. By then ATI's binary drivers should hit version 11.9 and that will fix the gnome 3 bugs. |
|
Back to top |
|
|
titanofold Developer
Joined: 30 Dec 2003 Posts: 235 Location: Bryson City, NC USA
|
Posted: Wed Aug 31, 2011 12:54 am Post subject: |
|
|
There's caution and then there's frozen paranoia.
Eight years ago a box that hosted an rsync mirror was compromised. Not the rsync mirror itself, just the box. That was the most recent news item I found. The infrastructure is relatively secure. We're more prone to individual projects external to us being tampered with than with anything internally, but that's the case for everyone regardless of any method of signing, if any. _________________ The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley |
|
Back to top |
|
|
archrax n00b
Joined: 05 Dec 2011 Posts: 45
|
Posted: Tue Dec 06, 2011 12:27 am Post subject: |
|
|
Hello,
I have similar concerns to the OP. I've dabbled on and off with Arch for a while now - more on than off in recent times as I make a last ditch concerted effort to kick the Microsoft habit. I have always been security conscious but fairly ignorant over package signing until recently. Now that I've educated myself I was shocked to discover Arch's lack of package signing. Yes, pacman 4 now implements it but it's in the [testing] repository. If you enable that you get all of testing. Even if you can live with that, not all packages are signed, nor are they all likely to be in the near future. You have to wait until the next time the package is rebuilt. This means that de facto Arch's package signing model is broken.
I've been looking for alternatives to Arch, which are difficult to find. I think Arch is otherwise a brilliant distribution. I've toyed with the idea of Gentoo for a while as I've heard good things but feared I didn't have the time nor perhaps the skill set to set it up. Necessity has now given me the time so I took a look. I was pleasantly surprised to find that not only is the documentation excellent, but also very noob-friendly, along with the forums - much better than Arch in fact.
So the install iso's are signed. Great! The stage 3 tarballs are signed. Great! The files on the rsync servers are not signed? Not great.
Quote: | There's caution and then there's frozen paranoia. |
Well, that's relative. By the standards of the Arch developers it might appear that it is the Gentoo developers that are paranoid. I understand that you'll never have perfect security. Users are only likely to download the iso and tarball a couple of times at most, avid enthusiasts aside. But ebuilds could be accessed on a daily basis if you are a frequent updater. Does that not mean that Gentoo's package signing model is also broken?
Quote: | Eight years ago a box that hosted an rsync mirror was compromised. |
Well, I don't know if rsync servers are harder to hack than other servers. But mirrors do get hacked. kernel.org got hacked recently (http://www.linuxfordevices.com/c/a/News/Kernelorg-hacked/) and so did Frugalware (http://article.gmane.org/gmane.linux.frugalware.devel/9899).
Finally, my question. Are there any plans to sign the support files on the rsync mirrors and if so, what is the expected timeline?
Thanks
P.S. Please excuse my ignorance if I have misunderstood how Gentoo works in this regard. I am still halfway through my first build and am still learning but have now halted because of this issue. |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Tue Dec 06, 2011 1:00 am Post subject: |
|
|
There are plans. See GLEP 57, GLEP 58, and GLEP 59. There's no hard time line, though; nor are the plans complete and accepted. GLEP 57 in particular has a pretty good bibliography of past discussion.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21639
|
Posted: Tue Dec 06, 2011 2:11 am Post subject: |
|
|
You can obtain signed snapshots of the Portage tree. A valid signature there indicates that the particular mirror which supplied your tree has not modified it. It does not indicate that the master Gentoo repository is confirmed good. A rogue or compromised developer could commit bad files and the tree signing process would not catch it, even if the committer was modifying an area outside his normal zone of responsibility. However, Gentoo commits are public record and some developers seem to take quite an interest in reviewing commits, so there is a chance that a malicious commit would be caught that way. |
|
Back to top |
|
|
archrax n00b
Joined: 05 Dec 2011 Posts: 45
|
Posted: Tue Dec 06, 2011 11:28 am Post subject: |
|
|
Thanks for the quick responses guys.
Quote: | You can obtain signed snapshots of the Portage tree. |
That's great. I've now looked this up in the manual. I can live with that. I don't need the system to be absolutely on the bleeding edge as long as it is reasonably up-to-date. Roughly, how often are these snapshots updated? Weekly? Monthly? Just as a very broad idea.
Thanks once again.
EDITED:
Ignore my question. I did RTFM but obviously not closely enough.
Quote: | ...you can still update your Portage tree by using our daily generated Portage tree snapshots... |
Looking forward to building my new Gentoo system. |
|
Back to top |
|
|
|