Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 6356

Summary: sign packages
Product: Portage Development Reporter: Ole Tange <bugs.gentoo.org>
Component: CoreAssignee: Daniel Robbins (RETIRED) <drobbins>
Status: RESOLVED DUPLICATE    
Severity: normal CC: elcondor, hannes, kevin, mholzer
Priority: High    
Version: 2.0   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 2765    

Description Ole Tange 2002-08-12 05:53:29 UTC 
Recently we have just seen openssh being substituted by a trojan. I would like 
this never to happen on Gentoo. 
 
As things are now we check the MD5-sum of the source.tar.gz. But this is not 
good enough. 
 
One of my concerns is that portage is mirrored by many sites. As far as I know 
no security audit is made on these sites before they can act like a mirror. If 
one of these sites were compromised then people rsyncing to this site may get a 
trojan portage that will install trojanized packages. 
 
A solution to this would be if all ebuilds were digitally signed by Gentoo.org 
and emerge checked these signatures. If the signature failed it should still be 
possible to install the packages (e.g. by setting IGNORE_SIGNATURES=true).
Comment 1 SpanKY gentoo-dev 2002-08-12 07:46:59 UTC 
we rsync from mirrors, but we do not download source files from mirrors.
we get the source files from ibiblio.org, and well imho they are quite the
trust worthy source.
Comment 2 Ole Tange 2002-08-12 11:51:42 UTC 
I would expect ftp.openbsd.org to be trustworthy too, but for some reason they 
distributed a trojaned version for some time. The issue is really not wether I 
trust my distributor to be ill-willed, but wether I trust that: 
 
* his server is not cracked 
* his server is not IP-hijacked 
* his domainname is not DNS-hijacked 
 
I am pretty sure that ibiblio cannot guarantee that this will never happen. If 
the source is a trojan source, then this will be caught by the MD5-sum in the 
ebuild. But if the ebuild is trojaned, then the SRC_URI can be changed and a 
matching MD5-sum can be computed. 
 
If the attacker can make your system unable to reach ibiblio (e.g. by making a 
wrong static route) then emerge will fetch the SRC_URI. Then you will have 
installed a trojaned binary. There are probably even more sofisticated ways to 
attack the current system. 
 
I am not saying that we should have a complete web of trust between each an 
every packager. I just want to make sure that the files I get are exactly the 
same as the packager had. A simple robotic signing of everything that passes 
through gentoo.org will be sufficient for this as long as: 
 
* the packager is trustworthy 
* gentoo.org is trustworthy 
 
If gentoo.org is IP-hijacked/DNS-hijacked then the rsync'ed ebuilds will not be 
signed with the correct key and the rsync should warn about this. For security 
the actual robotic signing should probably take place on a highly secured 
machine so the risk of having this machine cracked is minimal. 
 
By the way: I do not use ibiblio but instead the mirror at sunsite.dk. Can you 
vouch for their trustworthiness too?
Comment 3 SpanKY gentoo-dev 2002-09-14 23:42:49 UTC 
*** Bug 3042 has been marked as a duplicate of this bug. ***
Comment 4 SpanKY gentoo-dev 2002-09-30 21:35:49 UTC 

*** This bug has been marked as a duplicate of 5902 ***