Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877241 - sys-apps/portage: should binary package index be signed as well?
Summary: sys-apps/portage: should binary package index be signed as well?
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Binary packages support (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
Depends on:
Reported: 2022-10-15 19:47 UTC by Michał Górny
Modified: 2022-10-26 06:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-15 19:47:13 UTC
I'm wondering whether we should be signing the Packages file as well.  There aren't probably any very dangerous attack vectors via replacing the index but I suppose there's no harm in doing that either.

One attack I can think of is modifying binary package's *DEPEND in index to trick the user into installing an additional package, perhaps one that could expose the system to a vulnerability.
Comment 1 Sheng Yu 2022-10-26 06:11:50 UTC
Sure, why not. As long as other tools willing to support GPG signing and compression.