On 21 July 2008, Josh Bressers wrote:
> On 19 July 2008, "Justin Cappos" wrote:
> >
> > By the way, did you remove the ability for mirror admins to select a
> > subnet where they'll serve all of the traffic? We're particularly
> > concerned about this issue in the short term. We took our mirror
> > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > for ourselves.
> >
>
> I don't know the answer to this, so I'm adding the Fedora Infrastructure
> list to the CC.
>
> For you Fedora Infrastructure guys, this is regarding this paper:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
>
> Thanks.
>

Sadly I'm resending this. The Fedora Infrastructure group doesn't have
their act together, so my original message is stuck in a moderator queue
nobody has the password for. I've subscribed to the list for the purpose
of sending this mail.

Can someone respond to the above question from Justin.

Thanks.

--
JB

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, 25 Jul 2008, Josh Bressers wrote:

> On 21 July 2008, Josh Bressers wrote:
> > On 19 July 2008, "Justin Cappos" wrote:
> > >
> > > By the way, did you remove the ability for mirror admins to select a
> > > subnet where they'll serve all of the traffic? We're particularly
> > > concerned about this issue in the short term. We took our mirror
> > > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > > for ourselves.
> > >
> >
> > I don't know the answer to this, so I'm adding the Fedora Infrastructure
> > list to the CC.
> >
> > For you Fedora Infrastructure guys, this is regarding this paper:
> > http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
> >
> > Thanks.
> >
>
> Sadly I'm resending this. The Fedora Infrastructure group doesn't have
> their act together, so my original message is stuck in a moderator queue
> nobody has the password for. I've subscribed to the list for the purpose
> of sending this mail.
>
> Can someone respond to the above question from Justin.
>

Wow, what a nice way to ask for help. One wonders why you didn't just
file a bug or contact admin@fedoraproject.org.

https://fedorahosted.org/fedora-infrastructure/

Side note, I'm still waiting on RHIT to email me a password for the list.

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, 25 Jul 2008, Mike McGrath wrote:

> On Fri, 25 Jul 2008, Josh Bressers wrote:
>
> > On 21 July 2008, Josh Bressers wrote:
> > > On 19 July 2008, "Justin Cappos" wrote:
> > > >
> > > > By the way, did you remove the ability for mirror admins to select a
> > > > subnet where they'll serve all of the traffic? We're particularly
> > > > concerned about this issue in the short term. We took our mirror
> > > > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > > > for ourselves.
> > > >
> > >

AFAIK, this service is still in place and working fine. Though I am a
little confused about the question. It sounds like you'd like to direct
all subnet traffic to a specific mirror. But you're also saying you took
your mirror down. Are you worried people in your subnet are being
directed to a down mirror?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
>
> AFAIK, this service is still in place and working fine. Though I am a
> little confused about the question. It sounds like you'd like to direct
> all subnet traffic to a specific mirror. But you're also saying you took
> your mirror down. Are you worried people in your subnet are being
> directed to a down mirror?

More like taking over a subnet and directing all clients at a rouge
mirror.

--
Jesse Keating
Fedora -- Freedom² is a feature!
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On 25 July 2008, Mike McGrath wrote:
> On Fri, 25 Jul 2008, Mike McGrath wrote:
>
> > On Fri, 25 Jul 2008, Josh Bressers wrote:
> >
> > > On 21 July 2008, Josh Bressers wrote:
> > > > On 19 July 2008, "Justin Cappos" wrote:
> > > > >
> > > > > By the way, did you remove the ability for mirror admins to select a
> > > > > subnet where they'll serve all of the traffic? We're particularly
> > > > > concerned about this issue in the short term. We took our mirror
> > > > > down (mirror1.lockdownhosting.com) quite a while ago so we can't check
> > > > > for ourselves.
> > > > >
> > > >
>
> AFAIK, this service is still in place and working fine. Though I am a
> little confused about the question. It sounds like you'd like to direct
> all subnet traffic to a specific mirror. But you're also saying you took
> your mirror down. Are you worried people in your subnet are being
> directed to a down mirror?
>

No, the problem is what happens when a malicious mirror claims a subnet?
This is currently being viewed as a security issue due to this research:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

--
JB

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, 25 Jul 2008, Jesse Keating wrote:

> On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
> >
> > AFAIK, this service is still in place and working fine. Though I am a
> > little confused about the question. It sounds like you'd like to direct
> > all subnet traffic to a specific mirror. But you're also saying you took
> > your mirror down. Are you worried people in your subnet are being
> > directed to a down mirror?
>
> More like taking over a subnet and directing all clients at a rouge
> mirror.
>

<nod> that makes more sense. Domsch?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote:
> On Fri, 25 Jul 2008, Jesse Keating wrote:
>
> > On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
> > >
> > > AFAIK, this service is still in place and working fine. Though I am a
> > > little confused about the question. It sounds like you'd like to direct
> > > all subnet traffic to a specific mirror. But you're also saying you took
> > > your mirror down. Are you worried people in your subnet are being
> > > directed to a down mirror?
> >
> > More like taking over a subnet and directing all clients at a rouge
> > mirror.
>
> <nod> that makes more sense. Domsch?

Yes, this is a known challenge with subnet delegation in
MirrorManager. We're trusting package signing (and soon, repodata
signing) to prevent rogue mirrors from issuing unsigned data. In
addition, I'm working on adding in a way to prevent stale mirrors
(with signed content) from being used.

--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Fri, 25 Jul 2008, Matt Domsch wrote:

> On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote:
> > On Fri, 25 Jul 2008, Jesse Keating wrote:
> >
> > > On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
> > > >
> > > > AFAIK, this service is still in place and working fine. Though I am a
> > > > little confused about the question. It sounds like you'd like to direct
> > > > all subnet traffic to a specific mirror. But you're also saying you took
> > > > your mirror down. Are you worried people in your subnet are being
> > > > directed to a down mirror?
> > >
> > > More like taking over a subnet and directing all clients at a rouge
> > > mirror.
> >
> > <nod> that makes more sense. Domsch?
>
> Yes, this is a known challenge with subnet delegation in
> MirrorManager. We're trusting package signing (and soon, repodata
> signing) to prevent rogue mirrors from issuing unsigned data. In
> addition, I'm working on adding in a way to prevent stale mirrors
> (with signed content) from being used.
>

Perhaps it might also be a good idea to add a comment to the default
yum.conf for gpgcheck explaining what a bad idea it is to set to 0. I
could imagine people setting it to 0 not understanding what
they're doing. Especially if they're familiar with gpg's encryption bits,
but not its signing functionality.

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On 25 July 2008, Matt Domsch wrote:
>
> Yes, this is a known challenge with subnet delegation in
> MirrorManager. We're trusting package signing (and soon, repodata
> signing) to prevent rogue mirrors from issuing unsigned data. In
> addition, I'm working on adding in a way to prevent stale mirrors
> (with signed content) from being used.
>

How does one get this subnet delegation though? Can I request any subnet I
want, or do we do some sort of verification?

What happens if the client decided its mirror is bad, I presume it will go
off and find a better one, even with delegation?

Thanks.

--
JB

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list