| View previous topic :: View next topic |
| Author |
Message |
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
 Posted: Fri Jan 17, 2014 5:14 am Post subject: [SOLVED] emerge --sync security |
 |
|
Hello,
I did my best to search for this topic in the forum and on the web but didn't find anything.
As far as I understand, emerge --sync uses plain rsync protocol in the backround, which provides
neither encryption nor authentication. Is this correct?
If so, wouldn't that mean that anyone controlling a machine between my gateway and the portage mirror
can easily pull off a MITM and push to my portage tree any forged ebuild he wants?
Doesn't it also mean that if my DNS is manipulated, emerge will happily connect to any other rsync server?
Or am I missing something?
Don't worry, I am using emerge-webrsync with signature verification all along,
but since a lot of Gentoo users seem to use rsync, this question bugs me.
Also all howto's about setting up a portage mirror only explain rsync.
Last edited by litan on Sat Jan 18, 2014 6:09 pm; edited 2 times in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 47626
Location: 56N 3W
|
| Posted: Fri Jan 17, 2014 10:26 pm Post subject: |
|
|
litan,
Thats correct, the payload could be delivered in a /files directory as a patch. Tree signing is coming soon
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
| Posted: Sat Jan 18, 2014 2:46 am Post subject: |
|
|
NeddySeagoon, thank you very much for your answer.
Then I will stick with emerge-webrsync and am looking forward to the tree signing.
Seems like some Manifest files are already signed.
I believe it is secure to download distfiles over an insecure connection or from an untrusted source,
if I have a trusted portage tree, because of the hashes, right?
Don't know if it belongs into this thread, but since it is somewhat related to the topic,
incidentally the following just happened to me (first time ever):
| Code: |
# emerge -S whirlpool
Searching... | * Digest verification failed:
* /usr/portage/dev-perl/perl-ldap/perl-ldap-0.570.0.ebuild
* Reason: Failed on SHA256 verification
* Got: 9a5115ebaebd8ff18b37fe736207cb668f10d4d189cb3b4719d462efcce7815e
* Expected: 59b8bd21579f2e8241651301846ec0e32ca9a6adc3dc4940fccdafccfb3c378b
|
This happens only in one of my Gentoo installations, but I always used emerge-webrsync, I'm pretty sure.
Any ideas what that could mean? A search only brought up a bug with pycrypto, which was fixed years ago. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 47626
Location: 56N 3W
|
| Posted: Sat Jan 18, 2014 11:51 am Post subject: |
|
|
litan,
Syncs are not atomic. Its possible you have a mix of old bits and new bits.
A new sync should fix it.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
| Posted: Sat Jan 18, 2014 6:08 pm Post subject: |
|
|
I see, you mean the sync was interrupted at that point.
Yes, a new sync fixed it.
Thank you for enlightening me.  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
