What's preventing forged ebuilds from a renegade mirror?

[joshtimmons]

As far as I know, it's fairly easy to set up a portage mirror. What's to stop some malevolent soul from setting up a mirror, then changing xyz.ebuild to download and install a trojan package instead of the true package?

Hopefully I'm missing something obvious.

[delta407]

[joshtimmons]

Thanks for the reply.

I don't think you can rely on the master server to detect that for many reasons - for example, the renegade mirror can always treat the master server as a "special" client and give it the right stuff.

Even if this weren't an attack against the entire user base (which would be very effective, but ultimately non-stealthy, somebody would notice, eventually), this could be used to root individual systems that were known to run Gentoo. This type of attack might never be detected.

I know we're still at the mercy of the upstream packages, but those still generally come from trusted sites and we hope the authors are watching their packages. On the other hand, the portage mirror is unchecked, is a single point of failure for thousands of packages, runs as root, and many people even trust it enough to schedule upgrades.

The only fix is probably signed ebuild files (or the entire portage tree). Without that, it's trivially easy to start owning some boxes.

[rac]

[sodaphish]

If Gentoo is going to be taken seriously at the enterprise level, this issue needs to be addressed. Mac OS X had a similar vulnerability in the SoftwareUpdate app (see http://docs.info.apple.com/article.html?artnum=75304 for more information) which was promptly addressed by Apple.

The only thing that would prevent this issue from being a major hurdle to enterprise users is that few people know about it... which, of course, could change.

-C

[mmealman]

Secure Portage is already being worked on.

[puddpunk]

Currently, the mirror admins of gentoo (the global mirror devs, not the server admins) run scripts frequently to check that all the mirrors are sync'd. if there is a mirror out of sync, that mirror is taken out of round-robin DNS rotation until the mirror is back in sync.

So if content on one mirror differs from the other mirrors, access is cut. It's not foolproof, and it's not an ideal solution. It's what we got.

Ebuild signing, Gentoo uber and dev keys are being thought out at the moment. Have a look through the gentoo-securoty or the gentoo-hardened lists for more information.

[Black]

A temporary solution might be to download the MD5 from another server. I have no idea how much programming/time would be required for such a thing. "MD5-servers" would have to be limited to a few which would have to be controled.

Then again, maybe it would take as much time to implement as it would for the signed ebuild, making such a solution irrelevant.

[sodaphish]

So, in the spirit of keeping the Gentoo Social Contract, does this particular issue have an open Bug ID? If so, what is it?

-C

[sodaphish]

might be that what if an attacker isn't targetting the global Gentoo user-base, but rather a specific installation? The sync reports and DNS round-robin aren't going to save that specific installation -- but a well crafted and secure portage system would.

-C