Security of portage mirrors / MD5-Sums

[crazy-bee]

Hi,

I'm sorry if this has been discussed before (Yeah, I did a basic search).

In my opinion, the current security concept of the rsync mirrors is pretty bad. There are way too much rsync mirrors. Let me give you an example.

-I'm a bad guy
-I'm hosting (or have hacked) one of the many many rsync mirrors
-I'm injecting a "new" ebuild, e.g. mplayer-0.90-r13
-I'm having the Homepage URL set to some bogues server
-I'm setting the MD5 sum to the correct value of the fake file
-Since no 'real' gentoo ftp-server is hosting my file, I'm bounced back to the original homepage where the backdoored file is
-The MD5 sum (of course) is correct, since I set that at my rsync server
*BOOM* You're owned.

I hope you see that problem. The solution (in my opinion) is to only have very few *trusted* rsync mirrors which host the MD5 sums. You say that may slow down everything. But there could be 3 kinds of servers distributing gentoo: 1 only for MD5-sums, 1 for portage tree, 1 for files.

I love gentoo, but the current situation frightens me!

[SpinDizzy]

Actually, I think more mirrors would help as they would lesson the impact of a "cracked mirror" (seven years bad luck for the black hat).

Splitting the servers up into different functions makes it even harder to ensure they are synced, especially with the round robin DNS.

Nevermind the new ebuild of mplayer, I always keep my eye on the "new" ebuilds of things like iptables .