Re: kernel.org status: hints on how to check your machine forintrusion
From: Andrea Arcangeli
Date: Fri Oct 07 2011 - 05:28:23 EST
On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote:
> If you have a source-based system (Gentoo, LFS, etc.) you presumably
> know what you are doing already.
Gentoo portage updates through mirrors by default are insecure and I'm
not sure everyone knows what's doing already considering it's not the
default and if I talk to people they're not aware about it. So I
thought it's appropriate to send a reminder considering your topic...
To be secure if you use Gentoo you need to add webrsync-gpg to
FEATURES in make.conf and then use only emerge-webrsync (and never use
emerge --sync). Then you should be safe, after that the
SHA1/SHA256/RMD160 of every further download is verified against the
Manifests which have been cryptographically signed. It's very naive
and too insecure to trust any random mirror and emerge --sync should
be abolished and webrsync-gpg should be the default in FEATURES. After
you see "Good signature from" in output from emerge-webrsync you
should be safe. tarsync then speed things up.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/