Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Portage tree security?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
D-LINC
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jan 2011
Posts: 135
Location: Alaska

PostPosted: Wed Oct 17, 2012 8:20 pm    Post subject: Portage tree security? Reply with quote

Question relating to the security of the Portage infrastructure: How does one know that the Portage snapshot (or deltas) downloaded from a mirror are the same as those originally provided by the Gentoo team? (I.e., that they haven't been compromised at the mirror.)
_________________
frigidcode.com
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Oct 17, 2012 9:51 pm    Post subject: Reply with quote

You can get the GPG signatures for the snapshots from the mirrors. Of course, this begs the question, how do you know you can trust the agent that signs the snapshots? Full Portage tree and process security is a non-trivial problem and is an early work in process. See GLEPs 57, 58, and 59.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
ryao
Developer
Developer


Joined: 27 Feb 2012
Posts: 132

PostPosted: Thu Oct 18, 2012 9:04 am    Post subject: Reply with quote

emerge-webrsync is supposed to be protected by PGP signing, although I never looked at it in depth to confirm that.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum