Mailing List Archive: Gentoo: Security

How to authenticate the portage tree

Index | Next | Previous | View Threaded

simons at cryp

Nov 7, 2004, 7:41 PM

Post #1 of 2 (596 views)
Permalink

How to authenticate the portage tree

(1) Run "find /usr/portage -type f | xargs sha1sum -b" on
the Gentoo main system.

(2) Sign the output with GPG.

(3) Put it into the portage tree.

(4) If the user has GPG installed and has manually put the
appropriate public key in some place _outside_ of the
portage tree, have "emerge sync" verify that the
signature is intact and all hashes hold.

(5) Missing files in the tree are okay (rsync_excludes),
files in the tree which do not have a hash are not okay.

--
gentoo-security [at] gentoo mailing list

genone at gentoo

Nov 8, 2004, 1:05 PM

Post #2 of 2 (514 views)
Permalink

Re: How to authenticate the portage tree [In reply to]

On 08 Nov 2004 03:41:22 +0100
Peter Simons <simons [at] cryp> wrote:

> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
> the Gentoo main system.

What's the 'Gentoo main system'?

> (2) Sign the output with GPG.

Who does that?

Basically we do that already with Manifests, just that they
don't cover the whole tree (yet).

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads