# Gentoo portage security

## Kasumi_Ninja

I'm trying to figure out the current state of Gentoo's portage security. If I understand correctly less than 3000 ebuild are signed. This means that if rsync mirror is compromised ebuilds can be manipulated to install malicious software on a  users pc syncing with this mirror. Is this correct? And if so is this real risk or more a hypothetical scenario?

----------

## NeddySeagoon

Kasumi_Ninja,

Full tree signing is a work in progress.  I can find the GLEPs if you want to know the proposals and current state.

If a Gentoo rsync mirror were compromised and ebuilds were tampered with than anything is possible.

The ebuilds could be directed to download sources from anywhere and the manifests could be made to match.

The attacker would need to stop the compromised rsync server resyncing with the master mirror, or the attack would last at most 30 minutes as thats how ofter rsync mirrors sync.

Further, users can detect and avoid stale servers.

Such an attack would need both a break in and root exploit.  While what you say is possible in theory, there are easier targets to compromise.

----------

## Kasumi_Ninja

There is a bug report which hasn't been updated in a while  reject commits of unsigned Manifest files to the tree. Is there any news about the status of rejecting commits of unsigned Manifests? 

How do users detect stale servers? I think you've explained very well that it is more an hypothetical than a real world risk. Which makes me wonder what is the difference between Arch Linux unsigned repositories en Gentoo's Portage?

----------

## m0p

If you're worried about compromised rsync mirrors, use emerge-webrsync with FEATURES="webrsync-gpg" to grab a signed snapshot. Just set PORTAGE_GPG_DIR="/etc/portage/gpg" and add the relevant key with --homedir=/etc/portage/gpg in the args and you're sorted.

The contents of the tree being signed is another matter, but if that gets compromised, there'll be trouble anyway.

----------

## cyberjun

Hi,

     Do you think selecting 3 random mirrors to download manifest files for a given ebuild before proceeding with a merge operation could be a good idea?  

This way even if one of the mirrors is compromised, the other manifest files will not match. Then portage can flag an error and exit.

--cyberjun

----------

## webdawg

So can I or can I not be sure if I am getting the right files?  What is to stop someone from injecting bad packages and sums into my gentoo updates?  This seems like the.very thing a.group would want to do when they.would like to comprimise a system.

This is one of the.main reasons that I want to move from arch.  No signed packages.

----------

## Hu

You cannot be sure you are getting the right packages.  Even if you were sure of the distfile checksum, most ebuilds pull in one or more eclasses which are not cryptographically verified.

----------

## webdawg

Hmm.  Not good my friend.  Eclasses?  You mean external downloads?  I would be satisfied with sha256 sigs of the external files and just have those sums verified.

----------

## Hu

I mean the files that show up when you run find ${PORTDIR:-/usr/portage}/eclass -name '*.eclass'.  As far as I know, Portage does not even verify a digest for those files before importing them.  However, my information may be stale.  It has been a couple of years since I read on it in detail.

----------

