| 1 |
On Sun, 7 Nov 2004 12:01:35 -0500 |
| 2 |
Chris Frey <cdfrey@×××××××××.ca> wrote: |
| 3 |
|
| 4 |
> You don't. But that's like saying there's no point in closing the front |
| 5 |
> door since the bedroom window might be open. If the front door is |
| 6 |
> closed and locked, then at least we can pay more attention to the open |
| 7 |
> window. |
| 8 |
|
| 9 |
But you have not achieved more security. That is the point. If a |
| 10 |
distributor promises package integrity through signatures, they are |
| 11 |
lying. It is like showing of the locked front door without mentioning the |
| 12 |
open bedroom window. |
| 13 |
|
| 14 |
OTOH: If you are responsible for the front door's security, you should |
| 15 |
close it, of course. This is why Gentoo *should* use signatures. |
| 16 |
However, it is wrong to excpect or even promise a great improvement in |
| 17 |
security through this measure. |
| 18 |
|
| 19 |
> |
| 20 |
> Plus, the glibc ebuild maintainer should be tracking the changes. He |
| 21 |
> knows what's going on in glibc land, he knows the build process, he |
| 22 |
> should be in touch with the main developers, and he should be reading |
| 23 |
> the diffs. |
| 24 |
|
| 25 |
This might work for glibc (Don't know, really.). But it certainly won't |
| 26 |
work for many other packages. All the developer can do here is trust the |
| 27 |
guy at the bedroom window - just to stay with that example. |
| 28 |
|
| 29 |
> |
| 30 |
> If he doesn't have the time or skill to do that, he can at least compare |
| 31 |
> against the work of people who do, such as the source packages of Debian |
| 32 |
> or Fedora Core. It is pretty easy to do a diff. |
| 33 |
|
| 34 |
And Debian will compare against Gentoo, while Redhat compares gainst Suse, |
| 35 |
who in turn... |
| 36 |
|
| 37 |
My point being: Manipulations can be subtle, escpecially if they are |
| 38 |
carefully planned. Many eys are necessary to spot them. Manipulations at a |
| 39 |
low-level (a projects CVS-server) could easily propagate to many distros. |
| 40 |
So it comes down to either check for yourself or trust the upstream |
| 41 |
developers and their signatures and checksums. |
| 42 |
|
| 43 |
If you use signatures to verify a package, you have to understand exactly |
| 44 |
what guarantees are given. |
| 45 |
|
| 46 |
This is exactly one thing: |
| 47 |
The package or ebuild is identical to the version the Gentoo developer |
| 48 |
signed, provided that his workstation has not been compromised. |
| 49 |
|
| 50 |
Nothing else is guaranteed. |
| 51 |
|
| 52 |
The reason signing still makes sense is numbers and probability. There are |
| 53 |
only few developer machines, they are mostly unknown to attackers and are |
| 54 |
hopefully not used as servers. |
| 55 |
|
| 56 |
rsync mirrors, otoh, are many, well known and constantly exposed to the |
| 57 |
internet. |
| 58 |
|
| 59 |
Regards |
| 60 |
|
| 61 |
-- |
| 62 |
gentoo-security@g.o mailing list |
Archives