1 |
On Sun, 7 Nov 2004 12:01:35 -0500 |
2 |
Chris Frey <cdfrey@×××××××××.ca> wrote: |
3 |
|
4 |
> You don't. But that's like saying there's no point in closing the front |
5 |
> door since the bedroom window might be open. If the front door is |
6 |
> closed and locked, then at least we can pay more attention to the open |
7 |
> window. |
8 |
|
9 |
But you have not achieved more security. That is the point. If a |
10 |
distributor promises package integrity through signatures, they are |
11 |
lying. It is like showing of the locked front door without mentioning the |
12 |
open bedroom window. |
13 |
|
14 |
OTOH: If you are responsible for the front door's security, you should |
15 |
close it, of course. This is why Gentoo *should* use signatures. |
16 |
However, it is wrong to excpect or even promise a great improvement in |
17 |
security through this measure. |
18 |
|
19 |
> |
20 |
> Plus, the glibc ebuild maintainer should be tracking the changes. He |
21 |
> knows what's going on in glibc land, he knows the build process, he |
22 |
> should be in touch with the main developers, and he should be reading |
23 |
> the diffs. |
24 |
|
25 |
This might work for glibc (Don't know, really.). But it certainly won't |
26 |
work for many other packages. All the developer can do here is trust the |
27 |
guy at the bedroom window - just to stay with that example. |
28 |
|
29 |
> |
30 |
> If he doesn't have the time or skill to do that, he can at least compare |
31 |
> against the work of people who do, such as the source packages of Debian |
32 |
> or Fedora Core. It is pretty easy to do a diff. |
33 |
|
34 |
And Debian will compare against Gentoo, while Redhat compares gainst Suse, |
35 |
who in turn... |
36 |
|
37 |
My point being: Manipulations can be subtle, escpecially if they are |
38 |
carefully planned. Many eys are necessary to spot them. Manipulations at a |
39 |
low-level (a projects CVS-server) could easily propagate to many distros. |
40 |
So it comes down to either check for yourself or trust the upstream |
41 |
developers and their signatures and checksums. |
42 |
|
43 |
If you use signatures to verify a package, you have to understand exactly |
44 |
what guarantees are given. |
45 |
|
46 |
This is exactly one thing: |
47 |
The package or ebuild is identical to the version the Gentoo developer |
48 |
signed, provided that his workstation has not been compromised. |
49 |
|
50 |
Nothing else is guaranteed. |
51 |
|
52 |
The reason signing still makes sense is numbers and probability. There are |
53 |
only few developer machines, they are mostly unknown to attackers and are |
54 |
hopefully not used as servers. |
55 |
|
56 |
rsync mirrors, otoh, are many, well known and constantly exposed to the |
57 |
internet. |
58 |
|
59 |
Regards |
60 |
|
61 |
-- |
62 |
gentoo-security@g.o mailing list |