unsigned Gentoo latest files

Question

unsigned Gentoo latest files

Opened this issue 10 years ago · 3 comments

Gentoo latest files are apparently unsigned.

This is problematic, because automated build scripts such as the @Securix-Linux can not verify this file. The adversary could use this to mount rollback 1 or indefinite freeze [2] attacks.

https://github.com/martincmelik/Securix-Linux/blob/cb293269de0297a18c3b1af3275dbc3a81c22a6c/securix-install/install.sh#L799

 f_download "${SECURIX_STAGE3BASEURL}${STAGE3LATESTTXT}" "${GENTOO_STAGE3BASEURL}${STAGE3LATESTTXT}"

Related: #10

References:
[1] [2] Defined as per TUF (The Update Framework) - Attacks and
Weaknesses - Threat Model:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
http://www.webcitation.org/6F7Io2ncN

TODO:

Check Gentoo tracker if they have any plans to sign them.
Suggest this, if not yet.

Answer 1 · 2015-02-13T10:46:11.000Z

bug report:
https://bugs.gentoo.org/show_bug.cgi?id=539954

Answer 2 · 2015-02-13T11:21:02.000Z

Answer in short summary:

WONTFIX

Answer 3 · 2015-02-13T11:40:39.000Z

That close the debate
On Feb 13, 2015 12:21 PM, "Patrick Schleizer" notifications@github.com
wrote:

Answer in short summary:

WONTFIX

—
Reply to this email directly or view it on GitHub
#19 (comment).