| 1 |
On Thu, Mar 25, 2004 at 09:24:37AM +0100, John Nilsson wrote: |
| 2 |
> On Thu, 2004-03-25 at 02:45, Robin H. Johnson wrote: |
| 3 |
> > OK, after reading this entire thread, I've been thinking about a usable |
| 4 |
> > implementation from both the administrative and developer perspective. |
| 5 |
> > One of the most important things to remember in designing this, is that while |
| 6 |
> > you can prevent damage from most individual attacks, no system in existence can |
| 7 |
> > withstand a multi-faceted all-out assault. |
| 8 |
> > |
| 9 |
> > Goals: |
| 10 |
> > ------ |
| 11 |
> > - protect against compromised developer box / rogue developer |
| 12 |
> > - protect against compromised rsync server |
| 13 |
> |
| 14 |
> Exactly how secure are we aiming at? The schemes presented here does |
| 15 |
> nothing to secure gentoo boxes from malicious source code. |
| 16 |
That is completely not the intent of this system. This system is |
| 17 |
intended to stop tampering with the portage tree. The portage tree is |
| 18 |
dangerous in it's nature of being executable shell. |
| 19 |
|
| 20 |
As an example, open up the latest version of some ebuild and at the very top |
| 21 |
add in: "echo bang", now run an emerge operation, say 'emerge -p |
| 22 |
package' where package uses the ebuild that you just modified, and see |
| 23 |
emerge throw 'bang' out on your screen. If you aren't running with |
| 24 |
FEATURES=userpriv, you're could be in for a world of trouble here (and |
| 25 |
even userpriv can be circumvented). A malicously inserted 'rm -rf / &' |
| 26 |
or MUCH worse. |
| 27 |
|
| 28 |
> If a patch is signed, with a good signature, does that mean that the |
| 29 |
> signers has audited the patch for security holes? |
| 30 |
While this is a laudable goal, the amount of patches going thru the |
| 31 |
system make this impossible in some cases. I can say for example that I |
| 32 |
have reviewed _every_ patch that is used with qmail (which I maintain). |
| 33 |
|
| 34 |
> What is to say that the source compiled with an ebuild is not |
| 35 |
> compromised? |
| 36 |
Verifying that an application has not been tampered with is an |
| 37 |
end-to-end process. As an example, our digests on source tarballs allow |
| 38 |
us to detect tampering on a gentoo mirror or upstream, provided we know |
| 39 |
that the source was in a good state to start off with. I usually do |
| 40 |
verify that a source tarball has a good md5sum with a gpg signature if |
| 41 |
one is available (in many cases it isn't). |
| 42 |
|
| 43 |
> Of course we should do our part to make a secure transaction of |
| 44 |
> source, but the costs has to be weighted to the gains. Any security |
| 45 |
> scheme must be virtually transparent to the developers or it is not |
| 46 |
> worth it, until we can secure the actual code. |
| 47 |
My proposed setup is transparent to developers in all but one way: the |
| 48 |
possible case that developers don't use an agent to store their GPG |
| 49 |
passphrase and need to enter it to commit (or have a in-memory timeout |
| 50 |
for security with an agent). |
| 51 |
|
| 52 |
-- |
| 53 |
Robin Hugh Johnson |
| 54 |
E-Mail : robbat2@××××××××××××××.net |
| 55 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
| 56 |
ICQ# : 30269588 or 41961639 |
| 57 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives