Language Selection

English French German Italian Portuguese Spanish

Gentoo News

Syndicate content
News and information from Gentoo Linux
Updated: 17 hours 23 min ago

AArch64 (arm64) profiles are now stable!

Sunday 11th of August 2019 12:00:00 AM

The ARM64 project is pleased to announce that all ARM64 profiles are now stable.

While our developers and users have contributed significantly in this accomplishment, we must also thank our Packet sponsor for their contribution. Providing the Gentoo developer community with access to bare metal hardware has accelerated progress in achieving the stabilization of the ARM64 profiles.

About Packet.com

This access has been kindly provided to Gentoo by bare metal cloud Packet via their Works on Arm project. Learn more about their commitment to supporting open source here.

About Gentoo

Gentoo Linux is a free, source-based, rolling release meta distribution that features a high degree of flexibility and high performance. It empowers you to make your computer work for you, and offers a variety of choices at all levels of system configuration.

As a community, Gentoo consists of approximately two hundred developers and over fifty thousand users globally.

Impact of SKS keyserver poisoning on Gentoo

Wednesday 3rd of July 2019 12:00:00 AM

The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

The Gentoo key infrastructure has not been affected by the attack. Shortly after it was reported, we have disabled fetching developer key updates from SKS and today we have disabled public key upload access to prevent the keys stored on the server from being poisoned by a malicious third party.

The gemato tool used to verify the Gentoo ebuild repository uses WKD by default. During normal operation it should not be affected by this vulnerability. Gemato has a keyserver fallback that might be vulnerable if WKD fails, however gemato operates in an isolated environment that will prevent a poisoned key from causing permanent damage to your system. In the worst case; Gentoo repository syncs will be slow or hang.

The webrsync and delta-webrsync methods also support gemato, although it is not used by default at the moment. In order to use it, you need to remove PORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and put the following values into /etc/portage/repos.conf:

[gentoo] sync-type = webrsync sync-webrsync-delta = true # false to use plain webrsync sync-webrsync-verify-signature = true

Afterwards, calling emerge --sync or emaint sync --repo gentoo will use gemato key management rather than the vulnerable legacy method. The default is going to be changed in a future release of Portage.

When using GnuPG directly, Gentoo developer and service keys can be securely fetched (and refreshed) via:

  1. Web Key Directory, e.g. gpg --locate-key developer@gentoo.org
  2. Gentoo keyserver, e.g. gpg --keyserver hkps://keys.gentoo.org ...
  3. Key bundles, e.g.: active devs, service keys

Please note that the aforementioned services provide only keys specific to Gentoo. Keys belonging to other people will not be found on our keyserver. If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack, at the cost of stripping all signatures and unverified UIDs.

More in Tux Machines

Today in Techrights

IBM: OpenPOWER Foundation, Savings and the OpenStack Platform

  • OpenPOWER Foundation | The Next Step in the OpenPOWER Foundation Journey

    Today marks one of the most important days in the life of the OpenPOWER Foundation. With IBM announcing new contributions to the open source community including the POWER Instruction Set Architecture (ISA) and key hardware reference designs at OpenPOWER Summit North America 2019, the future has never looked brighter for the POWER architecture. OpenPOWER Foundation Aligns with Linux Foundation The OpenPOWER Foundation will now join projects and organizations like OpenBMC, CHIPS Alliance, OpenHPC and so many others within the Linux Foundation. The Linux Foundation is the premier open source group, and we’re excited to be working more closely with them. Since our founding in 2013, IEEE-ISTO has been our home, and we owe so much to its team. It’s as a result of IEEE-ISTO’s support and guidance that we’ve been able to expand to more than 350 members and that we’re ready to take the next step in our evolution. On behalf of our membership, our board of directors and myself, we place on record our thanks to the IEEE-ISTO team. By moving the POWER ISA under an open model – guided by the OpenPOWER Foundation within the Linux Foundation – and making it available to the growing open technical commons, we’ll enable innovation in the open hardware and software space to grow at an accelerated pace. The possibilities for what organizations and individuals will be able to develop on POWER through its mature ISA and software ecosystem will be nearly limitless.

  • How Red Hat delivers $7B in customer savings

    This spring, Red Hat commissioned IDC to conduct a new study to analyze the contributions of Red Hat Enterprise Linux to the global business economy. While many of the findings were impressive, including immense opportunities for partners, we were especially excited to learn more about how our customers benefit from Red Hat Enterprise Linux. According to the study, the world’s leading enterprise Linux platform "touches" more than $10 trillion of business revenues worldwide each year and provides economic benefits of more than $1 trillion each year to customers. Nearly $7 billion of that number comes in the form of IT savings. Even more exciting? As hybrid cloud adoption grows, we expect customers to continue to benefit given the importance of a common, flexible and open operating system to IT deployments that span the many footprints of enterprise computing.

  • The road ahead for the Red Hat OpenStack Platform

    If you didn't have a chance to attend our Road Ahead session at Red Hat Summit 2019 (or you did, but want a refresher) you'll want to read on for a quick update. We'll cover where Red Hat OpenStack Platform is today, where we're planning to go tomorrow, and the longer-term plan for Red Hat OpenStack Platform support all the way to 2025. A strategic part of our portfolio Red Hat OpenStack Platform is a strategic part of Red Hat's vision for open hybrid cloud. It's the on-prem foundation that can help organizations bridge the gap between today's existing workloads and emerging workloads. In fact, it just earned the 2019 CODiE award for "Best Software Defined Infrastructure." One of those emerging workloads, and more on the rest in a moment, is Red Hat OpenShift.

Android Leftovers

Is Fedora Linux a Good Distro? The 15 Best Reasons to Use Fedora Linux

It goes without saying that Fedora Linux is one of the best Linux distributions and significantly distinct with its properties. There is no denying that it is an enticing version of Linux and there are enough reasons to be lured with the Fedora. It offers far ranges of features that have made it an undeniable choice for the users. There is a close and intimate collaboration between Fedora and “Redhat” what has given a new dimension of this Linux version. It is more comfortable to use, user-friendly and latest technology oriented; thus, there are many obvious reasons for loving in it. [...] The various distribution of Linux system is recognized for easy-going properties, albeit Fedora is the easiest one in this context. Having an easier interface, users are capable of dealing with it very easily since the boot phase. When the boot is done, users will be guided with simple features to run it the way they desire. Read more