490392 – app-portage/emerge-delta-webrsync deltas have no gpg signature

Bug 490392 - app-portage/emerge-delta-webrsync deltas have no gpg signature

Summary: app-portage/emerge-delta-webrsync deltas have no gpg signature

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-11-04 14:54 UTC by Luca Schuhmacher
Modified:	2023-08-19 15:22 UTC (History)
CC List:	4 users (show)

See Also:	286373
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luca Schuhmacher 2013-11-04 14:54:04 UTC

as i looked at webrsync, it seems it just pulls deltas which have no gpg signatures and happily installs them. so verifiying the snapshots is useless.

deltas should be disabled with webrsync-gpg useflag or get gnupg sigs as well.

Reproducible: Always

Comment 1 Zac Medico gentoo-dev

2014-09-27 20:39:07 UTC

(In reply to Luca Schuhmacher from comment #0)
> as i looked at webrsync, it seems it just pulls deltas which have no gpg
> signatures and happily installs them. so verifiying the snapshots is useless.

It reconstructs the snapshot from the deltas, and then verifies the signature on the snapshot. It's just as good and downloading the whole snapshot and then verifying that.