1 |
Peter Simons wrote: |
2 |
> So if you guys would like to be the laughing stock of the |
3 |
> free software community once this vulnerability is exploited |
4 |
> for the first time, all I say is: Be my guest. |
5 |
|
6 |
How is this NOT a problem with every distribution that offers downloads |
7 |
... oh, that's right ... ALL of them? Yep. |
8 |
|
9 |
Instead of a bunch of hounds baying at the Gentoo devs, who do what they |
10 |
do without much in the way of remuneration, and who have absolutely the |
11 |
best intentions and concern for the user base ... why not HELP them |
12 |
design a tool that can help ameliorate the risk to some acceptable level. |
13 |
|
14 |
I'll agree that having signed files will be a step forward in security, |
15 |
but also ack that in the larger scheme of things, it means little. But |
16 |
progress in a forward direction is always a good thing. Now, how about |
17 |
an independent signature/hash of the entire portage tree? |
18 |
|
19 |
If I wanted something like that, I might start with some assumptions |
20 |
(any of which may be false, but I'm using the assumptions to generate a |
21 |
scenario): |
22 |
|
23 |
1. The master machine (or cluster or whatever) is the source of |
24 |
distribution to a limited set of secondary mirrors, from which all other |
25 |
mirrors sync, and from those, end users sync. |
26 |
|
27 |
2. So an end user is perhaps two, but likely three steps away from the |
28 |
master. |
29 |
|
30 |
3. The secondaries sync to the master on a known schedule ... let's say |
31 |
hourly. |
32 |
|
33 |
4. Commits to the master currently happen on no set schedule. |
34 |
|
35 |
Okay, with those four assumptions, could we do something like this: |
36 |
|
37 |
1. Queue up commits to the master for 55 minutes of every hour. |
38 |
|
39 |
2. At minute 55, close off access by the secondary mirrors. |
40 |
|
41 |
3. Apply the commits to the master. |
42 |
|
43 |
4. Write a datestamp/serial number into the master, then run a hash |
44 |
against it. Put that hash on the gentoo main site, and other places |
45 |
where the portage tree is not mirrored, either appended to the hashfile |
46 |
(as a serial number / hash pair) or as a standalone hash in a file |
47 |
that's named for the serial number, in a directory full of such things. |
48 |
|
49 |
For example: |
50 |
|
51 |
export FILENAME=`date | md5sum | cut -f1 -d' '` |
52 |
echo $FILENAME >> /usr/portage/serial_number |
53 |
tar cf - /usr/portage --exclude distfiles | md5sum \ |
54 |
>> /root/$FILENAME |
55 |
|
56 |
[copy the /root/$FILENAME over to the appropriate distribution points, |
57 |
webservers, whatever] |
58 |
|
59 |
5. Reopen access by the secondaries. |
60 |
|
61 |
|
62 |
Then, at the user end, after performing an emerge sync, the process is |
63 |
run again, by portage: |
64 |
|
65 |
export FILENAME=`cat /usr/portage/serial_number` |
66 |
wget http://www.gentoo.org/$FILENAME |
67 |
# thus retrieving the checksum for that particular |
68 |
# snapshot |
69 |
tar cf - /usr/portage --exclude distfiles | md5sum | \ |
70 |
diff - $FILENAME |
71 |
|
72 |
If the checksums match, the diff returns 0, clean tree, and we can all |
73 |
start worrying about the packages that are downloaded from the URLS |
74 |
contained in each ebuild. |
75 |
|
76 |
To break this, the main mirror can be compromised (one must presume that |
77 |
this is protected) OR a secondary or tertiary mirror can be owned, along |
78 |
with at least one source of the checksum file, which are independent of |
79 |
all mirror machines. Of course, the combinations of mirror and checksum |
80 |
sources mean that alarm bells will be going off pretty quickly, unless |
81 |
the main mirror is owned. Then all bets are off, but eventually we all |
82 |
die, right? |
83 |
|
84 |
Okay, that's one scenario, based upon possibly silly assumptions. But it |
85 |
or something like it could be implemented. I could probably even pretend |
86 |
to be able to help with a portage patch, except that I have no concept |
87 |
of the actual infrastructure for portage tree distribution, which will |
88 |
tie into how portage works with such a scheme. |
89 |
|
90 |
Let's be useful to the developers here, folks. Hell, I'm pissed off |
91 |
about some of what I've read in this thread, and I don't have any axe to |
92 |
grind in the matter. |
93 |
|
94 |
HTH, |
95 |
|
96 |
.brian |
97 |
|
98 |
-- |
99 |
Brian Bilbrey : http://www.orbdesigns.com/ |
100 |
... maybe they can't be called "volunteers" any more if somebody |
101 |
ends up being silly enough to pay them for something they'd have |
102 |
done for free anyway. - Linus in the Seattle Times |
103 |
|
104 |
-- |
105 |
gentoo-security@g.o mailing list |