1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
<< Debian | Distributions | Slackware >>
Gentoo Security Advisories
- Portage 3.0 stabilized
We have good news! Gentoo’s Portage project has recently stabilized version 3.0 of the package manager.
What’s new? Well, this third version of Portage removes support for Python 2.7, which has been an ongoing effort across the main Gentoo repository by Gentoo’s Python project during the 2020 year (see this blog post).
In addition, due to a user provided patch, updating to the latest version of Portage can vastly speed up dependency calculations by around 50-60%. We love to see our community engaging in our software! For more details, see this Reddit post from the community member who provided the patch. Stay healthy and keep cooking with Gentoo!
- 200th Gentoo Council meeting
Way back in 2005, the reorganization of Gentoo led to the formation of the Gentoo Council,a steering body elected annually by the Gentoo developers. Forward 15 years, and today wehad our 200th meeting! (No earth shaking decisions were taken today though.) The logs andsummaries of all meetings can be read online on the archive page.
- Reviving Gentoo Bugday
Reviving an old tradition, the next Gentoo Bugday will take place on Saturday 2020-06-06. Let’s contribute to Gentoo and fix bugs!We will focus on two topics in particular:
Adding or improving documentation on the Gentoo wiki Fixing packages that fail with -fno-common (bug #705764)
Join us on channel #gentoo-bugday, freenode IRC, for real-time help. See you on 2020-06-06!
- AArch64 (arm64) profiles are now stable!
The ARM64 project is pleased to announce that all ARM64 profiles are now stable.
While our developers and users have contributed significantly in thisaccomplishment, we must also thank our Packet sponsorfor their contribution. Providing the Gentoo developer community with access tobare metal hardware has accelerated progress in achieving the stabilization ofthe ARM64 profiles.
This access has been kindly provided to Gentoo by bare metal cloud Packet viatheir Works on Arm project. Learn more about their commitment to supporting opensource here.
Gentoo Linux is a free, source-based, rollingrelease meta distribution that features a high degree of flexibility and highperformance. It empowers you to make your computer work for you, and offers avariety of choices at all levels of system configuration.
As a community, Gentoo consists of approximately two hundred developers andover fifty thousand users globally.
- Impact of SKS keyserver poisoning on Gentoo
The SKS keyserver network has been a victim of certificate poisoningattacklately. The OpenPGP verification used for repository syncing is protectedagainst the attack. However, our users can be affected when using GnuPGdirectly. In this post, we would like to shortly summarize what the attack is,what we did to protect Gentoo against it and what can you do to protect yoursystem.
The certificate poisoning attack abuses three facts: that OpenPGP keys cancontain unlimited number of signatures, that anyone can append signaturesto any key and that there is no way to distinguish a legitimate signaturefrom garbage. The attackers are appending a large number of garbage signaturesto keys stored on SKS keyservers, causing them to become very large and causesevere performance issues in GnuPG clients that fetch them.
The attackers have poisoned the keys of a few high ranking OpenPGP peopleon the SKS keyservers, including one Gentoo developer. Furthermore, thecurrent expectation is that the problem won’t be fixed any time soon, so itseems plausible that more keys may be affected in the future. We recommendusers not to fetch or refresh keys from SKS keyserver network (this includesaliases such as keys.gnupg.net) for the time being. GnuPG upstream isalready working on client-side countermeasures and they can be expected toenter Gentoo as soon as they are released.
The Gentoo key infrastructure has not been affected by the attack. Shortlyafter it was reported, we have disabled fetching developer key updates from SKSand today we have disabled public key upload access to prevent the keys storedon the server from being poisoned by a malicious third party.
The gemato tool used to verify the Gentoo ebuild repository usesWKD by default. During normal operation it shouldnot be affected by this vulnerability. Gemato has a keyserver fallback thatmight be vulnerable if WKD fails, however gemato operates in an isolatedenvironment that will prevent a poisoned key from causing permanent damage toyour system. In the worst case; Gentoo repository syncs will be slow or hang.
The webrsync and delta-webrsync methods also support gemato, although it isnot used by default at the moment. In order to use it, you need to removePORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and putthe following values into /etc/portage/repos.conf:
[gentoo]sync-type = webrsyncsync-webrsync-delta = true # false to use plain webrsyncsync-webrsync-verify-signature = true
Afterwards, calling emerge --sync or emaint sync --repo gentoo will usegemato key management rather than the vulnerable legacy method. The default isgoing to be changed in a future release of Portage.
When using GnuPG directly, Gentoo developer and service keys canbe securely fetched (and refreshed) via:
Web Key Directory, e.g. gpg --locate-key firstname.lastname@example.org Gentoo keyserver,e.g. gpg --keyserver hkps://keys.gentoo.org ... Key bundles, e.g.:active devs,service keys
Please note that the aforementioned services provide only keys specificto Gentoo. Keys belonging to other people will not be found on our keyserver.If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack,at the cost of stripping all signatures and unverified UIDs.