| 1 |
Peter Simons wrote: |
| 2 |
> So if you guys would like to be the laughing stock of the |
| 3 |
> free software community once this vulnerability is exploited |
| 4 |
> for the first time, all I say is: Be my guest. |
| 5 |
|
| 6 |
How is this NOT a problem with every distribution that offers downloads |
| 7 |
... oh, that's right ... ALL of them? Yep. |
| 8 |
|
| 9 |
Instead of a bunch of hounds baying at the Gentoo devs, who do what they |
| 10 |
do without much in the way of remuneration, and who have absolutely the |
| 11 |
best intentions and concern for the user base ... why not HELP them |
| 12 |
design a tool that can help ameliorate the risk to some acceptable level. |
| 13 |
|
| 14 |
I'll agree that having signed files will be a step forward in security, |
| 15 |
but also ack that in the larger scheme of things, it means little. But |
| 16 |
progress in a forward direction is always a good thing. Now, how about |
| 17 |
an independent signature/hash of the entire portage tree? |
| 18 |
|
| 19 |
If I wanted something like that, I might start with some assumptions |
| 20 |
(any of which may be false, but I'm using the assumptions to generate a |
| 21 |
scenario): |
| 22 |
|
| 23 |
1. The master machine (or cluster or whatever) is the source of |
| 24 |
distribution to a limited set of secondary mirrors, from which all other |
| 25 |
mirrors sync, and from those, end users sync. |
| 26 |
|
| 27 |
2. So an end user is perhaps two, but likely three steps away from the |
| 28 |
master. |
| 29 |
|
| 30 |
3. The secondaries sync to the master on a known schedule ... let's say |
| 31 |
hourly. |
| 32 |
|
| 33 |
4. Commits to the master currently happen on no set schedule. |
| 34 |
|
| 35 |
Okay, with those four assumptions, could we do something like this: |
| 36 |
|
| 37 |
1. Queue up commits to the master for 55 minutes of every hour. |
| 38 |
|
| 39 |
2. At minute 55, close off access by the secondary mirrors. |
| 40 |
|
| 41 |
3. Apply the commits to the master. |
| 42 |
|
| 43 |
4. Write a datestamp/serial number into the master, then run a hash |
| 44 |
against it. Put that hash on the gentoo main site, and other places |
| 45 |
where the portage tree is not mirrored, either appended to the hashfile |
| 46 |
(as a serial number / hash pair) or as a standalone hash in a file |
| 47 |
that's named for the serial number, in a directory full of such things. |
| 48 |
|
| 49 |
For example: |
| 50 |
|
| 51 |
export FILENAME=`date | md5sum | cut -f1 -d' '` |
| 52 |
echo $FILENAME >> /usr/portage/serial_number |
| 53 |
tar cf - /usr/portage --exclude distfiles | md5sum \ |
| 54 |
>> /root/$FILENAME |
| 55 |
|
| 56 |
[copy the /root/$FILENAME over to the appropriate distribution points, |
| 57 |
webservers, whatever] |
| 58 |
|
| 59 |
5. Reopen access by the secondaries. |
| 60 |
|
| 61 |
|
| 62 |
Then, at the user end, after performing an emerge sync, the process is |
| 63 |
run again, by portage: |
| 64 |
|
| 65 |
export FILENAME=`cat /usr/portage/serial_number` |
| 66 |
wget http://www.gentoo.org/$FILENAME |
| 67 |
# thus retrieving the checksum for that particular |
| 68 |
# snapshot |
| 69 |
tar cf - /usr/portage --exclude distfiles | md5sum | \ |
| 70 |
diff - $FILENAME |
| 71 |
|
| 72 |
If the checksums match, the diff returns 0, clean tree, and we can all |
| 73 |
start worrying about the packages that are downloaded from the URLS |
| 74 |
contained in each ebuild. |
| 75 |
|
| 76 |
To break this, the main mirror can be compromised (one must presume that |
| 77 |
this is protected) OR a secondary or tertiary mirror can be owned, along |
| 78 |
with at least one source of the checksum file, which are independent of |
| 79 |
all mirror machines. Of course, the combinations of mirror and checksum |
| 80 |
sources mean that alarm bells will be going off pretty quickly, unless |
| 81 |
the main mirror is owned. Then all bets are off, but eventually we all |
| 82 |
die, right? |
| 83 |
|
| 84 |
Okay, that's one scenario, based upon possibly silly assumptions. But it |
| 85 |
or something like it could be implemented. I could probably even pretend |
| 86 |
to be able to help with a portage patch, except that I have no concept |
| 87 |
of the actual infrastructure for portage tree distribution, which will |
| 88 |
tie into how portage works with such a scheme. |
| 89 |
|
| 90 |
Let's be useful to the developers here, folks. Hell, I'm pissed off |
| 91 |
about some of what I've read in this thread, and I don't have any axe to |
| 92 |
grind in the matter. |
| 93 |
|
| 94 |
HTH, |
| 95 |
|
| 96 |
.brian |
| 97 |
|
| 98 |
-- |
| 99 |
Brian Bilbrey : http://www.orbdesigns.com/ |
| 100 |
... maybe they can't be called "volunteers" any more if somebody |
| 101 |
ends up being silly enough to pay them for something they'd have |
| 102 |
done for free anyway. - Linus in the Seattle Times |
| 103 |
|
| 104 |
-- |
| 105 |
gentoo-security@g.o mailing list |
Archives