# Gentoo Package Security Model

## GenQ

Greetings.

As a new member of the community, I have a few brief questions concerning Gentoo's package security practices.  These general questions arise based upon common practices seen throughout the contemporary Linux community as a whole, and in relevant context with known overarching interests which can pursue self-serving goals if not carefully excluded.

Firstly, I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course.  Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?

Next, what vetting is required by Gentoo regarding individuals involved in the chain of custody for packages which are distributed by Gentoo?

Finally, who are the stakeholders in the Gentoo Project?  Apart from user-level donations, where does the Project's funding originate?

Thank you for your insights, and have a good day.

----------

## roboto

 *GenQ wrote:*   

> Finally, who are the stakeholders in the Gentoo Project?

 

In this link, you'll find the answers:

https://gentoo.org/inside-gentoo/

----------

## khayyam

 *GenQ wrote:*   

> Firstly, I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course.  Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

 

GenQ ... via PORTAGE_CHECKSUM_FILTER (see: 'man make.conf'), so for example:

```
PORTAGE_CHECKSUM_FILTER="-* sha256"
```

 *GenQ wrote:*   

> Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?

 

What packages? The 'distfiles' are the same as those distributed by upstream, so whatever method they provide would be used prior to the Manifest being created. If you wanted to verify this then replace the tarball (assumedly from a mirror) with that downloaded from upstream and it should pass checksum.

 *GenQ wrote:*   

> Next, what vetting is required by Gentoo regarding individuals involved in the chain of custody for packages which are distributed by Gentoo?

 

Again, what packages, we don't have any. All that are distributed are the ebuilds, eclasses, (package building instructions) a 'Manifest', patches (possibly) and a metadata.xml. The rest, ie the "package" (source code) is provided by upstream. The various "package" tarballs on a mirror should be identical to the one from upstream (and I seem to remember you can have portage use those sources rather than pull from a mirror). 

 *GenQ wrote:*   

> Finally, who are the stakeholders in the Gentoo Project?  Apart from user-level donations, where does the Project's funding originate?

 

Gentoo is (supposed to be) "a community based around a distribution" (see our charter, specifically "for the community, by the community" and "gentoo is independent") however, if you're a developer (and a council member) you can deny you are subject to the charter, or have any responcibility toward that community, without any consequence, so take that charter as nothing more than toilet paper. As for money, this is all the domain of the trustee's, so you'd have to ask them, or look to the financial records they release (NeddySeagoon will be able to point you to them, they're online somewhere).

best ... khay

----------

## John R. Graham

 *GenQ wrote:*   

> Firstly, I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course.  Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

 Where'd you get that? By default, three different message digests are checked for every file in the Portage tree, presumably on the theory that it would be even more impractical to induce a malicious collision on three different message digest algorithms simultaneously; none of them are as weak as MD5. They are SHA-256, SHA-512, and Whirlpool.

As Khay said, none of those files are "packages", per se. Instead, they're information on how to patch, build, and install the source code (for which there's also a triplet of digests recorded) which results in an installed package. However the information is organized by package category, package name, and package version; less pedantically, we do say things like, "Is package foo-1.2.3 in Portage?" The distinction is nevertheless there.

 *GenQ wrote:*   

> Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?
> 
> Next, what vetting is required by Gentoo regarding individuals involved in the chain of custody for packages which are distributed by Gentoo?

 Each package (see there: I did it!) in the Portage tree is the responsibility of a Gentoo Developer or a team of Developers. A package may exist in the tree in (roughly) three states:Hard Masked. This means it's known to have problems and further testing is warranted. No Gentoo user or developer will be exposed to this type of package without explicitly unmasking it.

Testing. (Also sometimes called "keyword masked", but I wouldn't want to spoil all of your reading fun.) In this state, the package is thought to function properly by the responsible developer, but wide testing is not complete. Some bugs may be outstanding but they're not show stoppers. Developers are required (or strongly encouraged) to run "testing branch" systems. Many regular Gentoo users also run "testing branch" systems but the default is...

Stable. Some level of testing is complete. The package has been shown to generally "play well with others". No open critical bugs have existed for 30 days (or thereabouts). A default Gentoo installation runs "stable branch".Regarding how people with commit access to the Portage tree are vetted, they must become Gentoo Developers. See our Become a Developer page for some of the details.

If I haven't touched on everything you wanted to know, just ask.

- John

----------

## NeddySeagoon

GenQ,

Most of Gentoos funding is met with "donations in kind".   Companies that operate data centres donate equipment to Gentoo.

This includes ongoing operating and maintenance costs.    See the server list.

That list includes a small number of servers that Gentoo rents.

Gentoo owns some equipment installed at the Oregon State University Open Source Lab (OSUOL).

Gentoo maintains that but running costs are funded by the OSUOL.

Gentoo pays fees to various organisations, e.g. the New Mexico state, when we file paperwork, to renew domain names, keep the Gentoo registered marks up to date.

That's the 'G' logo and the word 'Gentoo' used in the context of our distro. There are other things too.

As Gentoo is an all volunteer distro, it uses the services of volunteers whenever possible.  

Gentoos main sources of income are the Google Summer of Code and paypal donations.

The financial reports for 2005 to 2012 are published.

Prior to 2005, Gentoo was owned by Gentoo Technologies Inc., a for profit organisation owned by Daniel Robbins.

After 2012, the Foundation lost contact with its treasurer. A state of affairs that is still being rectified. The missing financial reports will be added as soon as Gentoo has access to the information again.

Meanwhile, there is an interim financial report for 2016

For more details, email trustees at gentoo dot org, come along to trustees meetings in #gentoo-trustees at irc.freenode.net. See the channel topic for dates, times and the agenda.

You can ask questions there any time but responses are unlikely to be immediate.

----------

## GenQ

When posting this missive, I knew I could run afoul of someone's sensibilities regarding at least one aspect.  I am glad the inquiry proved to be generally non-traumatic; and well appreciate the information so provided.

Thank you, again, for your assistance.

If I might, OS security is of concern these days for all who may be subject to the whims of various substantial interests.  When data is being adversarially accumulated on humanity as a whole at the exabyte-level, what we have running client-side on our systems should be as carefully guarded as possible.

Ironically, there seems to be an overall sense of either apathy or disinterest beyond the fashionable in many popular distro communities these days when it comes to reasonably ensuring the integrity of security updates and package distributions (or their analogues).  This is arguably the area of greatest ongoing vulnerability for any installation vis-a-vis those interests which are funded with the sole intention of affecting control over entire peoples by leveraging their individual personal information.

While it may not be possible eliminate all vulnerability in these transactions, in many instances it would seem much more could be done with only a bit more effort and imagination using the resources which already exist.

Cheers --

----------

## John R. Graham

Missive? There's that word again. Just don't let it descend into disquisition.  :Wink: 

Apathy? No. Disinterest? Well, maybe a little. Gentoo does have a formal enhancement proposal process called GLEP (Gentoo Linux Enhancement Proposal). There's been a fair amount of thought put into the security of our distributed materials. See in particular:GLEP 57: Security of distribution of Gentoo software - Overview

GLEP 58: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest

GLEP 59: Manifest2 hash policies and security implications

GLEP 60: Manifest2 filetypesIt's just that, as NeddySeagoon has described, we're all volunteer: we don't have a cadre of paid developers helping us achieve those goals. We are moving slowly in that direction, though. (Infrastructure security, not paid developers.)

Edit: Split off a worthwhile but off topic discussion that I inadvertently started to The Nature of our All Volunteer Workforce. 

- John

----------

## R0b0t1

 *GenQ wrote:*   

> Greetings.
> 
> As a new member of the community, I have a few brief questions concerning Gentoo's package security practices.  These general questions arise based upon common practices seen throughout the contemporary Linux community as a whole, and in relevant context with known overarching interests which can pursue self-serving goals if not carefully excluded.
> 
> Firstly, I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course.  Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?
> ...

 

While this is covered in GLEP 57 (somewhat indirectly), I feel it needs special attention: all files downloaded by portage are verified, but the code which downloads and verifies those files is not verified after download by default. It is trivial to intercept an rsync of the portage tree and modify ebuilds to execute malicious code with elevated permissions. For this reason I would suggest using portage's webrsync-gpg feature.

If that feature is enabled the last insecure portion of the entire process is the code which is hashed for inclusion in the ebuild.

----------

## GenQ

@R0b0t1:

Thank you for sharing your insights in this.  Every little bit helps in these matters...

Have a great day.

----------

