1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
<< Debian | Distributions | Slackware >>
Gentoo Security Advisories
- Impact of SKS keyserver poisoning on Gentoo
The SKS keyserver network has been a victim of certificate poisoningattacklately. The OpenPGP verification used for repository syncing is protectedagainst the attack. However, our users can be affected when using GnuPGdirectly. In this post, we would like to shortly summarize what the attack is,what we did to protect Gentoo against it and what can you do to protect yoursystem.
The certificate poisoning attack abuses three facts: that OpenPGP keys cancontain unlimited number of signatures, that anyone can append signaturesto any key and that there is no way to distinguish a legitimate signaturefrom garbage. The attackers are appending a large number of garbage signaturesto keys stored on SKS keyservers, causing them to become very large and causesevere performance issues in GnuPG clients that fetch them.
The attackers have poisoned the keys of a few high ranking OpenPGP peopleon the SKS keyservers, including one Gentoo developer. Furthermore, thecurrent expectation is that the problem won’t be fixed any time soon, so itseems plausible that more keys may be affected in the future. We recommendusers not to fetch or refresh keys from SKS keyserver network (this includesaliases such as keys.gnupg.net) for the time being. GnuPG upstream isalready working on client-side countermeasures and they can be expected toenter Gentoo as soon as they are released.
The Gentoo key infrastructure has not been affected by the attack. Shortlyafter it was reported, we have disabled fetching developer key updates from SKSand today we have disabled public key upload access to prevent the keys storedon the server from being poisoned by a malicious third party.
The gemato tool used to verify the Gentoo ebuild repository usesWKD by default. During normal operation it shouldnot be affected by this vulnerability. Gemato has a keyserver fallback thatmight be vulnerable if WKD fails, however gemato operates in an isolatedenvironment that will prevent a poisoned key from causing permanent damage toyour system. In the worst case; Gentoo repository syncs will be slow or hang.
The webrsync and delta-webrsync methods also support gemato, although it isnot used by default at the moment. In order to use it, you need to removePORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and putthe following values into /etc/portage/repos.conf:
[gentoo]sync-type = webrsyncsync-webrsync-delta = true # false to use plain webrsyncsync-webrsync-verify-signature = true
Afterwards, calling emerge --sync or emaint sync --repo gentoo will usegemato key management rather than the vulnerable legacy method. The default isgoing to be changed in a future release of Portage.
When using GnuPG directly, Gentoo developer and service keys canbe securely fetched (and refreshed) via:
Web Key Directory, e.g. gpg --locate-key email@example.com Gentoo keyserver,e.g. gpg --keyserver hkps://keys.gentoo.org ... Key bundles, e.g.:active devs,service keys
Please note that the aforementioned services provide only keys specificto Gentoo. Keys belonging to other people will not be found on our keyserver.If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack,at the cost of stripping all signatures and unverified UIDs.
- Nitrokey partners with Gentoo Foundation to equip developers with USB keys
The Gentoo Foundation haspartnered with Nitrokey to equip all Gentoo developerswith free Nitrokey Pro 2devices. Gentoo developers will use the Nitrokey devices to store cryptographickeys for signing of git commits and software packages, GnuPG keys, and SSHaccounts.
Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developeris eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developerswill need to register with their @gentoo.org email address at the dedicated orderform.
A Nitrokey Pro 2 Guide is availableon the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developerworkflow.
ABOUT NITROKEY PRO 2
Nitrokey Pro 2has strong reliable hardware encryption, thanks to open source. It can helpyou to: sign Git commits; encrypt emails and files; secure server access; andprotect accounts against identity theft via two-factor authentication (one-timepasswords).
Gentoo Linux is a free, source-based, rollingrelease meta distribution that features a high degree of flexibility and highperformance. It empowers you to make your computer work for you, and offers avariety of choices at all levels of system configuration.
As a community, Gentoo consists of approximately two hundred developers andover fifty thousand users globally.
The Gentoo Foundationsupports the development of Gentoo, protects Gentoo’s intellectual property,and oversees adherence to Gentoo’s Social Contract.
Nitrokey is a German IT security startup committedto open source hardware and software. Nitrokey develops and produces USB keysfor data encryption, email encryption (PGP/GPG, S/MIME), and secure accountlogins (SSH, two-factor authentication via OTP and FIDO).
Nitrokey is proud to support the Gentoo Foundation in further securing theGentoo infrastructure and contributing to a secure open source Linuxecosystem.
- Gentoo GNOME 3.30 for all init systems
GNOME 3.30 is now available in Gentoo Linux testing branch. Starting with this release, GNOME on Gentoo once again works with OpenRC, in addition to the usual systemd option. This is achieved through the elogind project, a standalone logind implementation based on systemd code, which is currently maintained by a fellow Gentoo user. Gentoo would like to thank Mart Raudsepp (leio), Gavin Ferris, and all othersworking on this for their contributions. More information can be found inMart’s blog post.
- FOSDEM 2019
It’s FOSDEM time again! Join us at Université libre de Bruxelles,Campus du Solbosch, in Brussels, Belgium. This year’s FOSDEM 2019 will be held on February 2nd and 3rd.
Our developers will be happy to greet all open source enthusiasts at our Gentoo stand in building K. Visit this year’s wiki page to seewho’s coming. So far eight developers have specified theirattendance, with most likely many more on the way!
- Gentoo congratulates our GSoC participants
Gentoo would like to congratulate Gibix and JSteward for finishing and passing Google’s Summer of Code for the 2018 calendar year. Gibix contributed by enhancing Rust (programming language) support within Gentoo.JSteward contributed by making a full Gentoo GNU/Linux distribution, managed by Portage, run on devices which use the original Android-customized kernel.
The final reports of their projects can be reviewed on their personal blogs:
Gibix: Journey into Gentoo eclass, GSoC timeline JSteward: Final_report
- Github Gentoo organization hacked - resolved
2018-07-04 14:00 UTC
We believe this incident is now resolved. Please see the incident report for details about the incident, its impact, and resolution.
2018-06-29 15:15 UTC
The community raised questions about the provenance of Gentoo packages. Gentoo development is performed onhardware run by the Gentoo Infrastructure team (not github). The Gentoo hardware was unaffected by this incident.Users using the default Gentoo mirroring infrastructure should not be affected.
If you are still concerned about provenance or are unsure what solution you are using, please consult https://wiki.gentoo.org/wiki/Project:Portage/Repository_Verification. This will instruct you on how to verify your repository.
2018-06-29 06:45 UTC
The gentoo GitHub organization remains temporarily locked down by GitHubsupport, pending fixes to pull-request content.
For ongoing status, please see the Gentoo infra-status incident page.
For later followup, please see the Gentoo Wiki page for GitHub 2018-06-28. An incident post-mortem will follow on the wiki.
- Gentoo accepted into Google Summer of Code 2018
Students who want to spend their summer having fun and writing code can do so now for Gentoo. Gentoo has been accepted as a mentoring organization for this year’s Google Summer of Code.
The GSoC is an excellent opportunity for gaining real-world experience in software design and making one’s self known in the broader open source community. It also looks great on a resume.
Initial project ideas can be found here, although new projects ideas are welcome. For new projects time is of the essence: there is typically some idea-polishing which must occur before the March 27th deadline. Because of this it is strongly recommended that students refine new project ideas with a mentor before proposing the idea formally.
GSoC students are encouraged to begin discussing ideas in the #gentoo-soc IRC channel on the Freenode network.
Further information can be found on the Gentoo GSoC 2018 wiki page. Those with unanswered questions should not hesitate to contact the Summer of Code mentors via the mailing list.