877241 – sys-apps/portage: should binary package index be signed as well?

Bug 877241 - sys-apps/portage: should binary package index be signed as well?

Summary: sys-apps/portage: should binary package index be signed as well?

Status:	CONFIRMED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Binary packages support (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-15 19:47 UTC by Michał Górny
Modified:	2023-09-19 07:17 UTC (History)
CC List:	5 users (show)

See Also:	248089
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-10-15 19:47:13 UTC

I'm wondering whether we should be signing the Packages file as well.  There aren't probably any very dangerous attack vectors via replacing the index but I suppose there's no harm in doing that either.

One attack I can think of is modifying binary package's *DEPEND in index to trick the user into installing an additional package, perhaps one that could expose the system to a vulnerability.

Comment 1 Sheng Yu 2022-10-26 06:11:50 UTC

Sure, why not. As long as other tools willing to support GPG signing and compression.