Language Selection

English French German Italian Portuguese Spanish

Gentoo News

Syndicate content
News and information from Gentoo Linux
Updated: 2 hours 3 min ago

AArch64 (arm64) profiles are now stable!

Sunday 11th of August 2019 12:00:00 AM

The ARM64 project is pleased to announce that all ARM64 profiles are now stable.

While our developers and users have contributed significantly in this accomplishment, we must also thank our Packet sponsor for their contribution. Providing the Gentoo developer community with access to bare metal hardware has accelerated progress in achieving the stabilization of the ARM64 profiles.

About Packet.com

This access has been kindly provided to Gentoo by bare metal cloud Packet via their Works on Arm project. Learn more about their commitment to supporting open source here.

About Gentoo

Gentoo Linux is a free, source-based, rolling release meta distribution that features a high degree of flexibility and high performance. It empowers you to make your computer work for you, and offers a variety of choices at all levels of system configuration.

As a community, Gentoo consists of approximately two hundred developers and over fifty thousand users globally.

Impact of SKS keyserver poisoning on Gentoo

Wednesday 3rd of July 2019 12:00:00 AM

The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

The Gentoo key infrastructure has not been affected by the attack. Shortly after it was reported, we have disabled fetching developer key updates from SKS and today we have disabled public key upload access to prevent the keys stored on the server from being poisoned by a malicious third party.

The gemato tool used to verify the Gentoo ebuild repository uses WKD by default. During normal operation it should not be affected by this vulnerability. Gemato has a keyserver fallback that might be vulnerable if WKD fails, however gemato operates in an isolated environment that will prevent a poisoned key from causing permanent damage to your system. In the worst case; Gentoo repository syncs will be slow or hang.

The webrsync and delta-webrsync methods also support gemato, although it is not used by default at the moment. In order to use it, you need to remove PORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and put the following values into /etc/portage/repos.conf:

[gentoo] sync-type = webrsync sync-webrsync-delta = true # false to use plain webrsync sync-webrsync-verify-signature = true

Afterwards, calling emerge --sync or emaint sync --repo gentoo will use gemato key management rather than the vulnerable legacy method. The default is going to be changed in a future release of Portage.

When using GnuPG directly, Gentoo developer and service keys can be securely fetched (and refreshed) via:

  1. Web Key Directory, e.g. gpg --locate-key developer@gentoo.org
  2. Gentoo keyserver, e.g. gpg --keyserver hkps://keys.gentoo.org ...
  3. Key bundles, e.g.: active devs, service keys

Please note that the aforementioned services provide only keys specific to Gentoo. Keys belonging to other people will not be found on our keyserver. If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack, at the cost of stripping all signatures and unverified UIDs.

More in Tux Machines

Python Programming Leftovers

  • Cogito, Ergo Sumana: Futureproofing Your Python Tools

    The people who maintain Python and key Python platforms want to help you protect the code you write and depend on. [...] Publishing that package is a great way of making it so other people can run and deploy it, even within other parts of your organization. But -- who actually has the keys to the castle? Who can upload a new version, or delete a version that has a problem? You should probably make sure multiple people have either "owner" or "maintainer" privileges on the project on PyPI. And you should review your project security history display, which lists sensitive events (such as "file removed from release version 1.0.1") in your PyPI user account and your PyPI project. We just added this display, so you can look at things that have happened in your user account or project, and check for signs someone's stolen your credentials.

  • py3status v3.20 – EuroPython 2019 edition

    Shame on me to post this so long after it happened… Still, that’s a funny story to tell and a lot of thank you to give so let’s go!

  • Finding Python Developers for Your Startup

    Recently I stumble across a situation while I was helping out for one of the events for JuniorDev SG. There was not a lot of Python developers and some of my other developer's friend. Said that they hardly encounter any developer friends who are using Python for their work. It begins during a conversation, where one of the attendees for a JuniorDev SG event. Approached me to search for Python developers to work for their startup based in Singapore.

Geary 3.34 Debuts with Deeper GNOME Contacts Integration, Other Changes

The Geary email client has issued a brand new release, and in this post I tell you a bit about it. Geary 3.34.0 — you may recall that Geary switched to following GNOME numbering last year — is the latest update to this web-mail friendly mail tool, and there’s healthy dose of improvement on offer, as noted in the release notes. Among them is deeper integration with GNOME Contacts. Geary’s in-app contacts pop-over now supports adding and editing contacts stored in the GNOME Contacts app, and is able to auto-complete email addresses based on data from contacts too. Serial typo-makers like me will appreciate the spell checker now covering the mail composer’s subject line; while the addition of support for Outlook-specific email attachments (TNEF) will please those who regularly run in to issues on that front. Other changes in Geary 3.34.0 include “a substantial number” of server compatibility improvements, background syncing tweaks, and other bug fixes. Read more

today's howtos

Best free Linux firewalls of 2019: go beyond Iptables for desktops and servers

Linux distros will often come with at least a basic firewall bundled with it. Often this won't be active by default so will need to be activated. Additionally this will likely be the standard Iptables supplied, even though less experienced users may struggle with it. UFW - Uncomplicated Firewall is also bundled with some distros, and aims to make the process simpler. However, there are distros and applications out there that can cater for the more advanced user and the less experienced one, making it easier to setup and configure a firewall that works for your needs. Some, like ClearOS build it directly into the operating system as part of its security focus, but most other options would be applications that aim to block rogue IPs, monitor ports, and prevent otherwise prevent bad packets from interfering with your machine. For most home users there are few actual settings that need to be customized, so simple apps can be popular, but for those looking to manage their machine as a server, additional controls and advanced command options will tend to be the more welcome. Read more