Security during emerge --sync

pavel_prochazka · n00b Joined: 29 Sep 2008 Posts: 26

Hi there,
Just a short question about protection of mirrors. I mean when I provide

apathetic · n00b Joined: 28 Aug 2014 Posts: 36

229566 · Tux's lil' helper Joined: 16 Aug 2010 Posts: 127

hasufell · Retired Dev Joined: 29 Oct 2011 Posts: 429

I've said that before: never use rsync to update your tree. It's so inherently insecure that it's embarrassing that we still provide it. Manifest signing is still not enforced and inconsistent. Eclasses are NOT signed whatsoever and would be my first target.

Only use the signed tarballs.

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

Okay, that... was a very needed wakeup call. Thank you.

I'll be doing that next time I sync, even though I'm using half a dozen overlays that are objectively worse... Hopefully Paludis has enough of this built in to make it easy, but if it doesn't I'll *make* it work.

hasufell · Retired Dev Joined: 29 Oct 2011 Posts: 429

Paludis can handle overlays internally, however you can still use emerge-webrsync and layman to update stuff. If you use layman, you have to create the repository conf files yourself ofc.

sera · Retired Dev Joined: 29 Feb 2008 Posts: 1017 Location: CET

user · Apprentice Joined: 08 Feb 2004 Posts: 233

By the way:
Is there any hope that we will see a daily signed portage squashfs xz-compressed file again?
Last portage sqfs dated from mar 2014.

squashfs can directly mounted as /usr/portage without the need of extracting tar archives.

kernelOfTruth · Posted: Sat Nov 08, 2014 2:03 am Post subject:

tld · Veteran Joined: 09 Dec 2003 Posts: 1860

229566 · Tux's lil' helper Joined: 16 Aug 2010 Posts: 127

krinn · Watchman Joined: 02 May 2003 Posts: 7471

I wonder why someone sync to random server to endup breaking it if the rsync server is from Ukraine or other.
Just sync with server you want, define them in your make.conf
It's just from a security point of view, stupid, but if you can rsync without jumping on your keyboard everytime you fall on a "bad" server country hosting, it will saved your keyboard.
If you assume Ukrainian country have more hackers, you still cannot assume Ukrainian servers are the best to hack to propagate virus or something, the best would be the more secure server, as the more secure are the more trust and the more used, and any flow in it should affect a greater number of users.
Just like assuming Ukrainian have more capable devs, so more potential hackers base, you should then assume Ukrainian servers are the best secure as they have a greater competent server admin base too.
When it comes to security, assuming anything is stupid and the best way to fall into what you were trying to avoid

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

Random thought: if someone put together a MITM proof-of-concept and gave the media snowball a little push, maybe it'd cause enough embarrassment to finally get us out of CVS hell.

I'm sure there's a few Arch users looking for payback after all the times their package manager got laughed at for doing the same thing

tld · Veteran Joined: 09 Dec 2003 Posts: 1860

I got this set up and used it the other day. Everything worked fine. The instructions around this leave a little to be desired, for example (as I've seen in other posts on the forum), the key server subkeys.pgp.net in the instructions does NOT work for receiving the 0xDB6B8C1F96D8BF6D key, though keys.gnupg.net does. That really had me going.

arnvidr · l33t Joined: 19 Aug 2004 Posts: 629 Location: Oslo, Norway

229566 · Tux's lil' helper Joined: 16 Aug 2010 Posts: 127

Yeah it doesn't work today for me either. So what are the trusted alternatives, I don't really do PGP so I'm not in the loop.

http://people.skolelinux.org/pere/blog/Good_bye_subkeys_pgp_net__welcome_pool_sks_keyservers_net.html

Found that post. Any thoughts about that pool from more security-savvy folks? Why doesn't Gentoo store such keys on its own infra?

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

The last time I had malware (a suid binary that provided local root exploit) on my system, it was part of the official ebuild in the tree, signed and sealed. Not Gentoo's fault since the exploit was part of some fancy GUI software that had the best of intentions... but this kind of thing is to be expected. Gentoo users want the latest software in the tree yesterday, and no one is getting paid for doing code reviews.

steveL · Posted: Fri Nov 14, 2014 5:25 pm Post subject:

djdunn · l33t Joined: 26 Dec 2004 Posts: 812

I had to fetch the key once, ctrl C it then fetch it again and it worked, i donno why
_________________
“Music is a moral law. It gives a soul to the Universe, wings to the mind, flight to the imagination, a charm to sadness, gaiety and life to everything. It is the essence of order, and leads to all that is good and just and beautiful.”

― Plato

djdunn · l33t Joined: 26 Dec 2004 Posts: 812

ulenrich · Veteran Joined: 10 Oct 2010 Posts: 1483

steveL · Posted: Tue Nov 18, 2014 3:36 am Post subject:

tld · Veteran Joined: 09 Dec 2003 Posts: 1860

I just noticed something regarding emerge-webrsync that I hadn't noticed...something to be aware of:

Using "emerge --sync" has always warned me when there was a new version of portage available...recommending to update that first. It appears the same isn't true with emerge-webrsync. I just ran that and got no such warning, and happened to notice this when I went to update:

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

Update portage first? I haven't done that in a long time... if it was so important, portage should do this by itself, on a world update... if it doesn't do it already.

tld · Veteran Joined: 09 Dec 2003 Posts: 1860