1 |
On Sun, 17 Jun 2012 12:56:34 -0400 |
2 |
Matthew Finkel <matthew.finkel@×××××.com> wrote: |
3 |
|
4 |
> On Sun, Jun 17, 2012 at 11:51 AM, Michał Górny <mgorny@g.o> |
5 |
> wrote: |
6 |
> > 1. How does it increase security? |
7 |
> > |
8 |
> This removed a few vectors of attack and ensures your computer is only |
9 |
> bootstrapped by and booted using software you think is safe. By using |
10 |
> any software we don't write, we make a lot of assumptions. |
11 |
|
12 |
I agree that it removes a few vectors of attack. But this doesn't |
13 |
necessarily mean the system is more secure. It has one vulnerability |
14 |
less but let's not get overenthusiastic. |
15 |
|
16 |
I'm basically trying to point out that a single solution like that can |
17 |
do more evil than good if people will believe it's perfect. |
18 |
|
19 |
> > 3. What happens if the machine signing the blobs is compromised? |
20 |
> > |
21 |
> See above. But also, a compromised system wouldn't necessarily mean |
22 |
> the blobs would be compromised as well. In addition, ideally the |
23 |
> priv-key would be kept isolated to ensure a compromise would be |
24 |
> extremely difficult. |
25 |
|
26 |
In my opinion, if a toolchain is quietly compromised, everything built |
27 |
on the particular machine can be compromised. And signed. I doubt that |
28 |
someone will check bit-exact machine code of the toolchain |
29 |
and operating system before starting to sign packages. |
30 |
|
31 |
-- |
32 |
Best regards, |
33 |
Michał Górny |