A group of social media-equipped Gentoo Developers hosted an AMA session on Reddit today, and they didn’t shy away from fielding difficult questions. Many of these were related to security issues, thought it should be noted that Gentoo Linux already has a reputation for being ahead of the game when it comes to security updates.
The distribution features a weekly rolling release schedule that ensures an overwhelming majority of users are using up-to-date packages at all times. One issue that was brought up was what might happened if the source code for a popular package contained some sort of trojan. Longtime Linux users might recall that UnrealIRCd server’s source code contained a backdoor at one point, though the developers corrected the issue as soon as they caught it.
Since Gentoo compiles source code locally according to a user’s preferences, it normally wouldn’t become compromised as the result of a cracked binary. However, there may be a problem if source packages were somehow compromised.
According to Gentoo’s security experts, there are only a few possible ways this could happen. If the upstream repository for some piece of source code contained a trojan, then it would be hard to catch downstream. This kind of Linux security problem would influence many distributions and not merely Gentoo.
If a tar file got swapped somewhere down the line, then it wouldn’t matter if the upstream source was clean. However, using OpenPGP to sign the release before it gets added to the ebuild repository at Gentoo along with inspecting checksums helps to ensure this shouldn’t be an issue in most situations.
The AMA comments also helped to clarify some other methods used to prevent this kind of thing from happening. When pushes or commits are added to a repository, they’re signed by the developers. By implementing a master rsync staging area to thicken commits up then add them to a MetaManifest that is also signed, key rotation has become rather simple for the developers.
A renewed emphasis on Linux security issues is present in nearly all major distros, but it certainly appears from these comments that Gentoo has gone the extra mile to ensure the safety of their implementation.