FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 03-16-2010, 11:29 PM
Daenyth Blank
 
Default Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 20:06, Linas <linas_fi@ymail.com> wrote:
> I had already this email draft in my head, but Ananda 'Arch Linux security
> is still poor' thread, on which the point was also brought up, moved me to
> really write it.

There's a bug on the tracker about this, please contribute there.
There's no point in bringing it up here for the inf++th time.
 
Old 03-16-2010, 11:51 PM
"Allan McRae"
 
Default Package signing (was: Arch Linux security is still poor)

On 17/03/10 10:06, Linas wrote:

Do you think this is a good idea? Which solution do you prefer?
And most important, what would be needed to reach there?


There has been discussions on the pacman-dev mailing list and is even
partial implementation for package signing available. You should
research those archives if you want to help. We have had lots of people
talk but very few ever contributed actual code which is the big
bottleneck here.


Allan
 
Old 03-18-2010, 12:39 AM
Myra Nelson
 
Default Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 19:06, Linas <linas_fi@ymail.com> wrote:
> I had already this email draft in my head, but Ananda 'Arch Linux security
> is still poor' thread, on which the point was also brought up, moved me to
> really write it.
>
> First off, there's an implicit level of trust on the package software, no
> matter which OS you use.
> When using Windows, you trust in Microsoft, when using Mac OS, you trust
in
> Apple, when using a Linux distro, you trust the packagers and upstream.
> Either you do that or trust just whatever came installed and not install
> anything ever (thus not patching to new vulnerabilities).
>
> The problem with Arch current packaging system is not that you must trust
> people able to write in core not to add a rm -rf / (to name the classical
> 'attack') nor that you didn't install arch with an infected media. The
> problem is that every time you do pacman -Syu, you must blindly trust that
> your dns, network, and mirror are reliable, too.
> The packages are verified with a md5 from the server list, but should you
> update from a compromised mirror (or impersonated, eg. arp poisoning, dns
> spoofing, bofh proxy operator...) you have lost. A pacman -Syu from an
open
> wifi might be enough. A later update may 'clean' it, so you may not even
> notice that you were once compromised.
>
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
operator.
> Moreover, it increases load on that server and makes it a single point of
> failure.
>
> *Package lists are signed from a trusted master key. There may be up to a
> key per repo.
> Easy to provide, allows backward compatibility.
>
> *Packages are automatically signed by ftp.archlinux.org before
distributing
> them.
> Removes the dependancy over the package list. Packages can be shared
> securely (eg. getting a downgrade for an untrusted user).
>
> *Each developer signs its own packages prior to uploading. Each repository
> key signs the keys of the developers with write access. Users can
blacklist
> or trust independent developers.
>
> Needless to say, the last solution is the one I like most. However, being
> more complete, it also means more work.
>
> The package signing could be a simple text file with filenames and hashes
> (preferably something more secure than md5) signed with gpg, or could be
> expanded if more fields are needed.
>
> Do you think this is a good idea? Which solution do you prefer?
> And most important, what would be needed to reach there?
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

There is one last problem with trust that no one can cure. You either trust
the devs or you don't. This is illustrated by a classic quote from Ken
Thompson

"The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code. In demonstrating the possibility of this kind of attack, I
picked on the C compiler. I could have picked on any program-handling
program such as an assembler, a loader, or even hardware microcode. As the
level of program gets lower, these bugs will be harder and harder to detect.
A well installed microcode bug will be almost impossible to detect." From
this article http://cm.bell-labs.com/who/ken/trust.html
.<http://cm.bell-labs.com/who/ken/trust.html>

Myra Nelson
 
Old 03-18-2010, 08:17 PM
Linas
 
Default Package signing (was: Arch Linux security is still poor)

Myra Nelson wrote:
There is one last problem with trust that no one can cure. You either
trust

the devs or you don't. This is illustrated by a classic quote from Ken
Thompson

"The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code. In demonstrating the possibility of this kind of attack, I
picked on the C compiler. I could have picked on any program-handling
program such as an assembler, a loader, or even hardware microcode. As the
level of program gets lower, these bugs will be harder and harder to detect.
A well installed microcode bug will be almost impossible to detect." From
this article http://cm.bell-labs.com/who/ken/trust.html
.<http://cm.bell-labs.com/who/ken/trust.html>

Myra Nelson



Right.
That's what I referred to when I began the mail with


First off, there's an implicit level of trust on the package software,
nomatter which OS you use...



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
 

Thread Tools




All times are GMT. The time now is 01:48 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org