1 |
On Sun, 07 Nov 2004 12:57:35 -0500 |
2 |
Dan Margolis <krispykringle@g.o> wrote: |
3 |
|
4 |
> I find all this talk really strange. Basically, ``let's not implement a |
5 |
> security feature, because people might think it provides more security |
6 |
> than it does, and blame us when it does not provide that security.'' |
7 |
|
8 |
I explicitly said that signing should be implemented! I only disagree with |
9 |
the statement that it is a strong security measure or that it's lack is a |
10 |
great danger to Gentoo users. |
11 |
|
12 |
> |
13 |
> In fact, this *does* provide a clearly quantifiable security benefit, in |
14 |
> that rsync mirrors and channels of distribution (i.e. DNS servers, |
15 |
> routers, etc) need not be trusted. |
16 |
|
17 |
This and nothing more. Provided you find a secure way for key |
18 |
distribution. |
19 |
|
20 |
> Currently, they must be trusted. So |
21 |
> this narrows the Trusted Computing Base down quite a bit |
22 |
|
23 |
In the whole, this bit is quite small. The code that ends up on a Gentoo |
24 |
system comes from millions of indivdual workstations and persons. |
25 |
Well organized projects like KDE or the kernel have strict peer review and |
26 |
provide signed packages themselves. Others lack both. |
27 |
|
28 |
> technical, and anyone can see that this benefits security as a result. |
29 |
> Now, how much does it benefit? I don't know of a quanta to measure that |
30 |
> in. |
31 |
|
32 |
Neither do I. At least, it closes a central and rather easy attack |
33 |
channel, that could be used to hit a lot of Gentoo's users (easy once a |
34 |
weakness in rsyncd is discovered). |
35 |
|
36 |
But take a look here, to see how little this really means: |
37 |
http://ftp.gnu.org/MISSING-FILES.README |
38 |
|
39 |
This could have been used to hit almost every user of free software, and |
40 |
no amount of signing by distributors would have changed anything. |
41 |
As a consequence GNU started signing their checksums at the level of |
42 |
package maintainers. |
43 |
But this clearly shows, that signatures provide no real security unless |
44 |
everyone in the "food-chain" does their part. |
45 |
This is true between projects and inside projects. |
46 |
|
47 |
Gentoo is almost at the top of the food chain, so their signatures are |
48 |
only meaningful if the lower levels do their job properly and Gentoo |
49 |
itself makes no mistakes. |
50 |
|
51 |
Regards |
52 |
|
53 |
-- |
54 |
gentoo-security@g.o mailing list |