1 |
On Thu, Mar 25, 2004 at 09:24:37AM +0100, John Nilsson wrote: |
2 |
> On Thu, 2004-03-25 at 02:45, Robin H. Johnson wrote: |
3 |
> > OK, after reading this entire thread, I've been thinking about a usable |
4 |
> > implementation from both the administrative and developer perspective. |
5 |
> > One of the most important things to remember in designing this, is that while |
6 |
> > you can prevent damage from most individual attacks, no system in existence can |
7 |
> > withstand a multi-faceted all-out assault. |
8 |
> > |
9 |
> > Goals: |
10 |
> > ------ |
11 |
> > - protect against compromised developer box / rogue developer |
12 |
> > - protect against compromised rsync server |
13 |
> |
14 |
> Exactly how secure are we aiming at? The schemes presented here does |
15 |
> nothing to secure gentoo boxes from malicious source code. |
16 |
That is completely not the intent of this system. This system is |
17 |
intended to stop tampering with the portage tree. The portage tree is |
18 |
dangerous in it's nature of being executable shell. |
19 |
|
20 |
As an example, open up the latest version of some ebuild and at the very top |
21 |
add in: "echo bang", now run an emerge operation, say 'emerge -p |
22 |
package' where package uses the ebuild that you just modified, and see |
23 |
emerge throw 'bang' out on your screen. If you aren't running with |
24 |
FEATURES=userpriv, you're could be in for a world of trouble here (and |
25 |
even userpriv can be circumvented). A malicously inserted 'rm -rf / &' |
26 |
or MUCH worse. |
27 |
|
28 |
> If a patch is signed, with a good signature, does that mean that the |
29 |
> signers has audited the patch for security holes? |
30 |
While this is a laudable goal, the amount of patches going thru the |
31 |
system make this impossible in some cases. I can say for example that I |
32 |
have reviewed _every_ patch that is used with qmail (which I maintain). |
33 |
|
34 |
> What is to say that the source compiled with an ebuild is not |
35 |
> compromised? |
36 |
Verifying that an application has not been tampered with is an |
37 |
end-to-end process. As an example, our digests on source tarballs allow |
38 |
us to detect tampering on a gentoo mirror or upstream, provided we know |
39 |
that the source was in a good state to start off with. I usually do |
40 |
verify that a source tarball has a good md5sum with a gpg signature if |
41 |
one is available (in many cases it isn't). |
42 |
|
43 |
> Of course we should do our part to make a secure transaction of |
44 |
> source, but the costs has to be weighted to the gains. Any security |
45 |
> scheme must be virtually transparent to the developers or it is not |
46 |
> worth it, until we can secure the actual code. |
47 |
My proposed setup is transparent to developers in all but one way: the |
48 |
possible case that developers don't use an agent to store their GPG |
49 |
passphrase and need to enter it to commit (or have a in-memory timeout |
50 |
for security with an agent). |
51 |
|
52 |
-- |
53 |
Robin Hugh Johnson |
54 |
E-Mail : robbat2@××××××××××××××.net |
55 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
56 |
ICQ# : 30269588 or 41961639 |
57 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |