Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] emerge --sync security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Fri Jan 17, 2014 5:14 am    Post subject: [SOLVED] emerge --sync security Reply with quote

Hello,
I did my best to search for this topic in the forum and on the web but didn't find anything.

As far as I understand, emerge --sync uses plain rsync protocol in the backround, which provides
neither encryption nor authentication. Is this correct?
If so, wouldn't that mean that anyone controlling a machine between my gateway and the portage mirror
can easily pull off a MITM and push to my portage tree any forged ebuild he wants?
Doesn't it also mean that if my DNS is manipulated, emerge will happily connect to any other rsync server?
Or am I missing something?

Don't worry, I am using emerge-webrsync with signature verification all along,
but since a lot of Gentoo users seem to use rsync, this question bugs me.
Also all howto's about setting up a portage mirror only explain rsync.


Last edited by litan on Sat Jan 18, 2014 6:09 pm; edited 2 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43571
Location: 56N 3W

PostPosted: Fri Jan 17, 2014 10:26 pm    Post subject: Reply with quote

litan,

Thats correct, the payload could be delivered in a /files directory as a patch. Tree signing is coming soon
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Sat Jan 18, 2014 2:46 am    Post subject: Reply with quote

NeddySeagoon, thank you very much for your answer.
Then I will stick with emerge-webrsync and am looking forward to the tree signing.
Seems like some Manifest files are already signed.

I believe it is secure to download distfiles over an insecure connection or from an untrusted source,
if I have a trusted portage tree, because of the hashes, right?

Don't know if it belongs into this thread, but since it is somewhat related to the topic,
incidentally the following just happened to me (first time ever):

Code:

# emerge -S whirlpool
Searching...   | * Digest verification failed:
 * /usr/portage/dev-perl/perl-ldap/perl-ldap-0.570.0.ebuild
 * Reason: Failed on SHA256 verification
 * Got: 9a5115ebaebd8ff18b37fe736207cb668f10d4d189cb3b4719d462efcce7815e
 * Expected: 59b8bd21579f2e8241651301846ec0e32ca9a6adc3dc4940fccdafccfb3c378b


This happens only in one of my Gentoo installations, but I always used emerge-webrsync, I'm pretty sure.
Any ideas what that could mean? A search only brought up a bug with pycrypto, which was fixed years ago.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43571
Location: 56N 3W

PostPosted: Sat Jan 18, 2014 11:51 am    Post subject: Reply with quote

litan,

Syncs are not atomic. Its possible you have a mix of old bits and new bits.
A new sync should fix it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Sat Jan 18, 2014 6:08 pm    Post subject: Reply with quote

I see, you mean the sync was interrupted at that point.
Yes, a new sync fixed it.
Thank you for enlightening me. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum