| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Oct 2011 11:28:19 +0200 From: Andrea Arcangeli <aarcange@...hat.com> To: Greg KH <greg@...ah.com> Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: kernel.org status: hints on how to check your machine for intrusion On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote: > If you have a source-based system (Gentoo, LFS, etc.) you presumably > know what you are doing already. Gentoo portage updates through mirrors by default are insecure and I'm not sure everyone knows what's doing already considering it's not the default and if I talk to people they're not aware about it. So I thought it's appropriate to send a reminder considering your topic... To be secure if you use Gentoo you need to add webrsync-gpg to FEATURES in make.conf and then use only emerge-webrsync (and never use emerge --sync). Then you should be safe, after that the SHA1/SHA256/RMD160 of every further download is verified against the Manifests which have been cryptographically signed. It's very naive and too insecure to trust any random mirror and emerge --sync should be abolished and webrsync-gpg should be the default in FEATURES. After you see "Good signature from" in output from emerge-webrsync you should be safe. tarsync then speed things up. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists