Noob Portage question

TheNotSoGreat · n00b Joined: 30 Aug 2011 Posts: 15

Hello, I am new to gentoo and just have a small question so please bear with me.
Are packages from Portage signed? I am not asking if the functionality is there, but whether all packages in the repo are signed and their signatures checked for verification. I have refrained from using Arch because Arch does not have package signing making it horribly insecure.

bjlockie · Veteran Joined: 18 Oct 2002 Posts: 1186 Location: Canada

jdhore · Retired Dev Joined: 13 Apr 2007 Posts: 106

Genone · Posted: Tue Aug 30, 2011 7:45 am Post subject:

There is some signature infrastructure, but last I know signatures aren't validated yet. But that information could very well be outdated.
(I assume you refer to actual signatures, not just file hashes which are in place as noted above).

TheNotSoGreat · n00b Joined: 30 Aug 2011 Posts: 15

marens · Apprentice Joined: 05 Aug 2004 Posts: 173

arch recently added package signing see http://www.reddit.com/r/linux/comments/jfvp9/package_signing_coming_to_archlinux/ and read link1 for an overview of attacks and which package manager implemented which security features at that time and http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/users/robbat2/tree-signing-gleps/ for a tree signing proposal overview

afaik gentoo devs are still thinking about how to properly implement it.
_________________
If English was good enough for Jesus, then it's good enough for you!

Genone · Posted: Tue Aug 30, 2011 7:42 pm Post subject:

TheNotSoGreat · n00b Joined: 30 Aug 2011 Posts: 15

So this means the bottom line is that Gentoo is not as secure as something with package signing.
*sigh*
Guess I will wait until Arch's package manager pacman's 4.0 release goes stable and Arch gets package signing. By then ATI's binary drivers should hit version 11.9 and that will fix the gnome 3 bugs.

titanofold · Posted: Wed Aug 31, 2011 12:54 am Post subject:

There's caution and then there's frozen paranoia.

Eight years ago a box that hosted an rsync mirror was compromised. Not the rsync mirror itself, just the box. That was the most recent news item I found. The infrastructure is relatively secure. We're more prone to individual projects external to us being tampered with than with anything internally, but that's the case for everyone regardless of any method of signing, if any.
_________________
The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley

archrax · n00b Joined: 05 Dec 2011 Posts: 45

Hello,

I have similar concerns to the OP. I've dabbled on and off with Arch for a while now - more on than off in recent times as I make a last ditch concerted effort to kick the Microsoft habit. I have always been security conscious but fairly ignorant over package signing until recently. Now that I've educated myself I was shocked to discover Arch's lack of package signing. Yes, pacman 4 now implements it but it's in the [testing] repository. If you enable that you get all of testing. Even if you can live with that, not all packages are signed, nor are they all likely to be in the near future. You have to wait until the next time the package is rebuilt. This means that de facto Arch's package signing model is broken.

I've been looking for alternatives to Arch, which are difficult to find. I think Arch is otherwise a brilliant distribution. I've toyed with the idea of Gentoo for a while as I've heard good things but feared I didn't have the time nor perhaps the skill set to set it up. Necessity has now given me the time so I took a look. I was pleasantly surprised to find that not only is the documentation excellent, but also very noob-friendly, along with the forums - much better than Arch in fact.

So the install iso's are signed. Great! The stage 3 tarballs are signed. Great! The files on the rsync servers are not signed? Not great.

John R. Graham · Posted: Tue Dec 06, 2011 1:00 am Post subject:

There are plans. See GLEP 57, GLEP 58, and GLEP 59. There's no hard time line, though; nor are the plans complete and accepted. GLEP 57 in particular has a pretty good bibliography of past discussion.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

Hu · Moderator Joined: 06 Mar 2007 Posts: 21639

You can obtain signed snapshots of the Portage tree. A valid signature there indicates that the particular mirror which supplied your tree has not modified it. It does not indicate that the master Gentoo repository is confirmed good. A rogue or compromised developer could commit bad files and the tree signing process would not catch it, even if the committer was modifying an area outside his normal zone of responsibility. However, Gentoo commits are public record and some developers seem to take quite an interest in reviewing commits, so there is a chance that a malicious commit would be caught that way.

archrax · n00b Joined: 05 Dec 2011 Posts: 45

Thanks for the quick responses guys.