Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877241

Summary: sys-apps/portage: should binary package index be signed as well?
Product: Portage Development Reporter: Michał Górny <mgorny>
Component: Binary packages supportAssignee: Portage team <dev-portage>
Status: CONFIRMED ---    
Severity: normal CC: ajak, andrewammerlaan, gentoo, sam, syu.os
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=248089
Whiteboard:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-15 19:47:13 UTC 
I'm wondering whether we should be signing the Packages file as well.  There aren't probably any very dangerous attack vectors via replacing the index but I suppose there's no harm in doing that either.

One attack I can think of is modifying binary package's *DEPEND in index to trick the user into installing an additional package, perhaps one that could expose the system to a vulnerability.
Comment 1 Sheng Yu 2022-10-26 06:11:50 UTC 
Sure, why not. As long as other tools willing to support GPG signing and compression.