Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Installing Gentoo from another Linux Distro is it Safe?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
jordanweb
n00b
n00b


Joined: 27 Oct 2020
Posts: 14

PostPosted: Wed Nov 25, 2020 10:09 am    Post subject: Installing Gentoo from another Linux Distro is it Safe? Reply with quote

Hi, I have a question and I'm new to Gentoo LInux, I have a concerns about Installing Gentoo from another linux distro, how can I ensure it is safe for example installing Gentoo from Ubuntu or Mint or Clonezilla, clonezilla operating system is based in China, or Ubuntu etc they might have potentially insert backdoor for your system?

Distro I have tried for installing Gentoo
#
voidlinux failed architecture error
porteus os failed emerge error
artix linux failed locale and other errors
MxLinux failed emerge-webrsync errors

#
Ubuntu 16 / 20 success no errors everything
Linux Mint 20 success no errors everything
Systemrescue success no errors (need tweaking)
Clonezilla success no errors (need tweaking a little network)


my question is can they have potential insert backdoor when you type chroot /mnt/gentoo /bin/bash?
why do can it able to execute shows the current names on /mnt Gentoo chroot like #void #debian
Code:
chroot /mnt/gentoo /bin/bash

ubuntu#
mint#
void#
Debian#

What is the safest way to install Gentoo? what distro did you use when you install Gentoo. That's my question, sorry for my bad english I'm Swiss, And Thanks for helping.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 487
Location: Russia

PostPosted: Wed Nov 25, 2020 10:33 am    Post subject: Reply with quote

Technically it is possible, but very,very unlikely, first it will be caught within hours if not minutes, not achieving anything apart of damaging (if not killing the distribution) everything is open source, so you can't hide something so big and outrageous from the community. And the second thing is that distribution maintainers are spending many years to gain trust, and to improve their own systems (most often they are using the same distro they are maintaining), why would you kill your own creation after so much effort was put into it? It's like killing your own child. Pick any big name with reputation and it will be secure enough for initial installation.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 47043
Location: 56N 3W

PostPosted: Wed Nov 25, 2020 12:51 pm    Post subject: Reply with quote

jordanweb,

None of the code from the boot media ends up in your Gentoo install. The boot media is only a toolkit.
Further, you can rebuild your gentoo from the sources any time you like.
That makes it a difficult attack vector to exploit.

As soon as you
Code:
chroot /mnt/gentoo /bin/bash
the /bin/bash comes from the Gentoo stage3, so its Gentoo provided code.
Everything in the stage3 is either Gentoo provided or (re)built by you. The host provides services, like the network.
You did check the hashes on the stage3 before you untarred it?

The ::gentoo repo is signed by Gentoo private keys and portage checks the signatures.
distfiles are validated against size and several secure hash functions to ensure that the are delivered as intended.
The correct size and hash values are distributed as part of the ::gentoo repo and covered by the crypto signatures.
To inject a back door by tampering with downloads requires that the secret keys are compromised.

Its far more likely that you will navigate to www.dodgy.website.com and get a java download that you don't want.

Nothing is impossible. Its unlikely because there are other attack vectors that are easer to exploit and have a bigger pool of potential targets.
Hence java nasties. They run almost anywhere.
Then Windows has a big user pool ...
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Leonardo.b
n00b
n00b


Joined: 10 Oct 2020
Posts: 48

PostPosted: Wed Nov 25, 2020 1:10 pm    Post subject: Reply with quote

It is possible to inspect the active connections on your system with the netstat utility. It is possible to record the running programs with top.
You can see Amazn's trackers running on Ubuntu with them.

I checked Gentoo installed from there, and I had nothing similar.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4474
Location: Illinois, USA

PostPosted: Wed Nov 25, 2020 2:59 pm    Post subject: Reply with quote

Leonardo.b wrote:
It is possible to inspect the active connections on your system with the netstat utility. It is possible to record the running programs with top.
You can see Amazn's trackers running on Ubuntu with them.

I checked Gentoo installed from there, and I had nothing similar.

I checked my system. It showed a connection to hddtemp at port 7634 and another on port 34748 to my server that I recognized as samba. But no connection to this website!
Back to top
View user's profile Send private message
Leonardo.b
n00b
n00b


Joined: 10 Oct 2020
Posts: 48

PostPosted: Wed Nov 25, 2020 4:54 pm    Post subject: Reply with quote

Tony0945;
I didn't understood clearly your message.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16468

PostPosted: Wed Nov 25, 2020 5:53 pm    Post subject: Reply with quote

Tony0945 wrote:
Leonardo.b wrote:
It is possible to inspect the active connections on your system with the netstat utility. It is possible to record the running programs with top.
You can see Amazn's trackers running on Ubuntu with them.

I checked Gentoo installed from there, and I had nothing similar.
I checked my system. It showed a connection to hddtemp at port 7634 and another on port 34748 to my server that I recognized as samba. But no connection to this website!
HTTP/HTTPS connections do not need to persist, unless dealing with Javascript-laden "Web 2.0" Single Page Applications. This forum uses very simple pages and images, so content can be retrieved quickly and then the connection closed, so you would need to have very lucky timing to catch your browser actively connected. The connections you cite are probably long-lived protocols that keep a single TCP stream open for minutes, hours, or even indefinitely.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4474
Location: Illinois, USA

PostPosted: Wed Nov 25, 2020 8:47 pm    Post subject: Reply with quote

Hu wrote:
The connections you cite are probably long-lived protocols that keep a single TCP stream open for minutes, hours, or even indefinitely.

Yes they are. Several directories are mounted via Samba and a panel app monitors hddtemp.

Leonardo.b: The explanation is a Hu says. I expected to see one or more tcp connections withe the browser actively viewing.

EDIT: Right now I have Thunderbird open and netstat shows many imap connections to my e-mail providers (I have three with multiple accounts at one).
Back to top
View user's profile Send private message
Leonardo.b
n00b
n00b


Joined: 10 Oct 2020
Posts: 48

PostPosted: Thu Nov 26, 2020 3:38 pm    Post subject: Reply with quote

I don't care about Ubuntu.
"Does Ubuntu collect user's data?" is another topic.
I suppose yes, because a connection to magog.canonical.c can't be something good; but I don't master the subject, so I must apologize for having call them "trackers".

On Gentoo (installed using Ubuntu usb), I don't notice any strange connection.
Nobody is listening here, and I'm happy.

I was asking to myself a similar question, while waiting for the end of the first
Code:
emerge -uND @world

and, as you can imagine, I have had a long time to think about this.
Back to top
View user's profile Send private message
soparla
n00b
n00b


Joined: 21 Aug 2018
Posts: 53
Location: New York

PostPosted: Sun Dec 06, 2020 6:51 am    Post subject: Reply with quote

You can install Gentoo (and perhaps any other OS) from any other OS you'd like as long as you:
1) Partition your disk correctly
2) Create the right file systems
3) Copy a stage tarball (and check its hash codes to make sure it wasn't tampered with)
4) Are able to chroot into the new environment

From there on, you can just follow the user manual almost down to the letter (almost, cuz it really depends on where you chroot into Gentoo from).

That said, why would you use anything else but the Gentoo self boot images? Won't that make your life easier?

I keep a 1GB USB stick around to fix my Gentoo boxes. I haven't updated it in years, because as long as it picks up all my hardware and I get to chroot into my env, I don't care for latest version of the kernel on the USB stick...

So grab that "Minimal Installation CD" from https://www.gentoo.org/downloads/ which is really just an ISO and burn it to a USB stick. Have fun with it :)
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4474
Location: Illinois, USA

PostPosted: Sun Dec 06, 2020 3:19 pm    Post subject: Reply with quote

soparla wrote:
That said, why would you use anything else but the Gentoo self boot images? Won't that make your life easier?

Easirst is to use something you are familiar with and have handy. In the beginning I used Knoppix, because I had the CD handy. Then I discovered sysrescuecd. Now I use that. Why not the minimal install disk? Sysrescuecd also has memtest and Windows utilities on it. I've amazed a few people with Windows laptops who forgot their passwords by booting sysrescued on the locked laptop and clearing the password. The last time I did it the laptop was a model that usually has SecureBoot on it. Maybe SecureBoot was turned off.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6428
Location: /usr/lib64/lv2

PostPosted: Wed Dec 09, 2020 2:32 pm    Post subject: Reply with quote

Maybe I'm misunderstanding the OP's concern, but I always install Gentoo using a System Rescue CD/USB boot.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum