Recently we have just seen openssh being substituted by a trojan. I would like this never to happen on Gentoo. As things are now we check the MD5-sum of the source.tar.gz. But this is not good enough. One of my concerns is that portage is mirrored by many sites. As far as I know no security audit is made on these sites before they can act like a mirror. If one of these sites were compromised then people rsyncing to this site may get a trojan portage that will install trojanized packages. A solution to this would be if all ebuilds were digitally signed by Gentoo.org and emerge checked these signatures. If the signature failed it should still be possible to install the packages (e.g. by setting IGNORE_SIGNATURES=true).
we rsync from mirrors, but we do not download source files from mirrors. we get the source files from ibiblio.org, and well imho they are quite the trust worthy source.
I would expect ftp.openbsd.org to be trustworthy too, but for some reason they distributed a trojaned version for some time. The issue is really not wether I trust my distributor to be ill-willed, but wether I trust that: * his server is not cracked * his server is not IP-hijacked * his domainname is not DNS-hijacked I am pretty sure that ibiblio cannot guarantee that this will never happen. If the source is a trojan source, then this will be caught by the MD5-sum in the ebuild. But if the ebuild is trojaned, then the SRC_URI can be changed and a matching MD5-sum can be computed. If the attacker can make your system unable to reach ibiblio (e.g. by making a wrong static route) then emerge will fetch the SRC_URI. Then you will have installed a trojaned binary. There are probably even more sofisticated ways to attack the current system. I am not saying that we should have a complete web of trust between each an every packager. I just want to make sure that the files I get are exactly the same as the packager had. A simple robotic signing of everything that passes through gentoo.org will be sufficient for this as long as: * the packager is trustworthy * gentoo.org is trustworthy If gentoo.org is IP-hijacked/DNS-hijacked then the rsync'ed ebuilds will not be signed with the correct key and the rsync should warn about this. For security the actual robotic signing should probably take place on a highly secured machine so the risk of having this machine cracked is minimal. By the way: I do not use ibiblio but instead the mirror at sunsite.dk. Can you vouch for their trustworthiness too?
*** Bug 3042 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of 5902 ***