Recent Changes - Search:
NTLUG

Gentoo

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Debian | Distributions | Slackware >>


Community

Support

Gentoo Planet

Gentoo Security Advisories

Gentoo News

  • Impact of SKS keyserver poisoning on Gentoo
    The SKS keyserver network has been a victim of certificate poisoningattacklately. The OpenPGP verification used for repository syncing is protectedagainst the attack. However, our users can be affected when using GnuPGdirectly. In this post, we would like to shortly summarize what the attack is,what we did to protect Gentoo against it and what can you do to protect yoursystem.

    The certificate poisoning attack abuses three facts: that OpenPGP keys cancontain unlimited number of signatures, that anyone can append signaturesto any key and that there is no way to distinguish a legitimate signaturefrom garbage. The attackers are appending a large number of garbage signaturesto keys stored on SKS keyservers, causing them to become very large and causesevere performance issues in GnuPG clients that fetch them.

    The attackers have poisoned the keys of a few high ranking OpenPGP peopleon the SKS keyservers, including one Gentoo developer. Furthermore, thecurrent expectation is that the problem won’t be fixed any time soon, so itseems plausible that more keys may be affected in the future. We recommendusers not to fetch or refresh keys from SKS keyserver network (this includesaliases such as keys.gnupg.net) for the time being. GnuPG upstream isalready working on client-side countermeasures and they can be expected toenter Gentoo as soon as they are released.

    The Gentoo key infrastructure has not been affected by the attack. Shortlyafter it was reported, we have disabled fetching developer key updates from SKSand today we have disabled public key upload access to prevent the keys storedon the server from being poisoned by a malicious third party.

    The gemato tool used to verify the Gentoo ebuild repository usesWKD by default. During normal operation it shouldnot be affected by this vulnerability. Gemato has a keyserver fallback thatmight be vulnerable if WKD fails, however gemato operates in an isolatedenvironment that will prevent a poisoned key from causing permanent damage toyour system. In the worst case; Gentoo repository syncs will be slow or hang.

    The webrsync and delta-webrsync methods also support gemato, although it isnot used by default at the moment. In order to use it, you need to removePORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and putthe following values into /etc/portage/repos.conf:
    [gentoo]sync-type = webrsyncsync-webrsync-delta = true # false to use plain webrsyncsync-webrsync-verify-signature = true
    Afterwards, calling emerge --sync or emaint sync --repo gentoo will usegemato key management rather than the vulnerable legacy method. The default isgoing to be changed in a future release of Portage.

    When using GnuPG directly, Gentoo developer and service keys canbe securely fetched (and refreshed) via:
    Web Key Directory, e.g. gpg --locate-key developer@gentoo.org Gentoo keyserver,e.g. gpg --keyserver hkps://keys.gentoo.org ... Key bundles, e.g.:active devs,service keys
    Please note that the aforementioned services provide only keys specificto Gentoo. Keys belonging to other people will not be found on our keyserver.If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack,at the cost of stripping all signatures and unverified UIDs.


  • Nitrokey partners with Gentoo Foundation to equip developers with USB keys
    The Gentoo Foundation haspartnered with Nitrokey to equip all Gentoo developerswith free Nitrokey Pro 2devices. Gentoo developers will use the Nitrokey devices to store cryptographickeys for signing of git commits and software packages, GnuPG keys, and SSHaccounts.

    Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developeris eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developerswill need to register with their @gentoo.org email address at the dedicated orderform.

    A Nitrokey Pro 2 Guide is availableon the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developerworkflow.
    ABOUT NITROKEY PRO 2
    Nitrokey Pro 2has strong reliable hardware encryption, thanks to open source. It can helpyou to: sign Git commits; encrypt emails and files; secure server access; andprotect accounts against identity theft via two-factor authentication (one-timepasswords).
    ABOUT GENTOO
    Gentoo Linux is a free, source-based, rollingrelease meta distribution that features a high degree of flexibility and highperformance. It empowers you to make your computer work for you, and offers avariety of choices at all levels of system configuration.

    As a community, Gentoo consists of approximately two hundred developers andover fifty thousand users globally.

    The Gentoo Foundationsupports the development of Gentoo, protects Gentoo’s intellectual property,and oversees adherence to Gentoo’s Social Contract.
    ABOUT NITROKEY
    Nitrokey is a German IT security startup committedto open source hardware and software. Nitrokey develops and produces USB keysfor data encryption, email encryption (PGP/GPG, S/MIME), and secure accountlogins (SSH, two-factor authentication via OTP and FIDO).

    Nitrokey is proud to support the Gentoo Foundation in further securing theGentoo infrastructure and contributing to a secure open source Linuxecosystem.


  • Gentoo GNOME 3.30 for all init systems
    GNOME 3.30 is now available in Gentoo Linux testing branch. Starting with this release, GNOME on Gentoo once again works with OpenRC, in addition to the usual systemd option. This is achieved through the elogind project, a standalone logind implementation based on systemd code, which is currently maintained by a fellow Gentoo user. Gentoo would like to thank Mart Raudsepp (leio), Gavin Ferris, and all othersworking on this for their contributions. More information can be found inMart’s blog post.




  • Gentoo congratulates our GSoC participants
    Gentoo would like to congratulate Gibix and JSteward for finishing and passing Google’s Summer of Code for the 2018 calendar year. Gibix contributed by enhancing Rust (programming language) support within Gentoo.JSteward contributed by making a full Gentoo GNU/Linux distribution, managed by Portage, run on devices which use the original Android-customized kernel.

    The final reports of their projects can be reviewed on their personal blogs:
    Gibix: Journey into Gentoo eclass, GSoC timeline JSteward: Final_report




  • Github Gentoo organization hacked - resolved
    2018-07-04 14:00 UTC
    We believe this incident is now resolved. Please see the incident report for details about the incident, its impact, and resolution.
    2018-06-29 15:15 UTC
    The community raised questions about the provenance of Gentoo packages. Gentoo development is performed onhardware run by the Gentoo Infrastructure team (not github). The Gentoo hardware was unaffected by this incident.Users using the default Gentoo mirroring infrastructure should not be affected.

    If you are still concerned about provenance or are unsure what solution you are using, please consult https://wiki.gentoo.org/wiki/Project:Portage/Repository_Verification. This will instruct you on how to verify your repository.
    2018-06-29 06:45 UTC
    The gentoo GitHub organization remains temporarily locked down by GitHubsupport, pending fixes to pull-request content.

    For ongoing status, please see the Gentoo infra-status incident page.

    For later followup, please see the Gentoo Wiki page for GitHub 2018-06-28. An incident post-mortem will follow on the wiki.


  • Gentoo accepted into Google Summer of Code 2018
    Students who want to spend their summer having fun and writing code can do so now for Gentoo. Gentoo has been accepted as a mentoring organization for this year’s Google Summer of Code.

    The GSoC is an excellent opportunity for gaining real-world experience in software design and making one’s self known in the broader open source community. It also looks great on a resume.

    Initial project ideas can be found here, although new projects ideas are welcome. For new projects time is of the essence: there is typically some idea-polishing which must occur before the March 27th deadline. Because of this it is strongly recommended that students refine new project ideas with a mentor before proposing the idea formally.

    GSoC students are encouraged to begin discussing ideas in the #gentoo-soc IRC channel on the Freenode network.

    Further information can be found on the Gentoo GSoC 2018 wiki page. Those with unanswered questions should not hesitate to contact the Summer of Code mentors via the mailing list.


Page last modified on December 29, 2006, at 08:35 PM