Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64259 - portage should sign the files that describe installed packages
Summary: portage should sign the files that describe installed packages
Status: RESOLVED WONTFIX
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Enhancement/Feature Requests (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
: 64261 (view as bug list)
Depends on:
Blocks: 64256
  Show dependency tree
 
Reported: 2004-09-16 06:13 UTC by SpanKY
Modified: 2005-10-16 00:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SpanKY gentoo-dev 2004-09-16 06:13:34 UTC 
before a package is merged to / and after portage builds the CONTENTS file containing the hashes/mtimes of the new package, portage should sign the result

for example, if i `emerge nano`, portage should produce a Manifest which hashes the files in /var/db/pkg/app-editores/nano-1.3.4/* and signs the result and then stores it in /var/db/pkg/app-editores/nano-1.3.4/

the problem being that if a malicious user compromises the box, currently they can replace any file and then just update the CONTENTS files; also, this will help out with binary packages and a level of 'trust' i think
Comment 1 SpanKY gentoo-dev 2004-10-09 15:25:56 UTC 
the file should sign everything, not just CONTENTS

that means CATEGORY, CC, DEPEND, LICENSE, etc...
Comment 2 SpanKY gentoo-dev 2004-10-09 15:26:17 UTC 
*** Bug 64261 has been marked as a duplicate of this bug. ***
Comment 3 Brian Harring (RETIRED) gentoo-dev 2005-02-28 00:59:49 UTC 
This seems a bit wonky.  How to sign it automatically?  Have an unencrypted key?  Etc.

Seems to me stricter perms might be a better start.
Comment 4 Jason Stubbs (RETIRED) gentoo-dev 2005-10-16 00:52:55 UTC 
Closing this as WONTFIX until its usefulness can be shown.