| 1 |
On Sun, 07 Nov 2004 12:57:35 -0500 |
| 2 |
Dan Margolis <krispykringle@g.o> wrote: |
| 3 |
|
| 4 |
> I find all this talk really strange. Basically, ``let's not implement a |
| 5 |
> security feature, because people might think it provides more security |
| 6 |
> than it does, and blame us when it does not provide that security.'' |
| 7 |
|
| 8 |
I explicitly said that signing should be implemented! I only disagree with |
| 9 |
the statement that it is a strong security measure or that it's lack is a |
| 10 |
great danger to Gentoo users. |
| 11 |
|
| 12 |
> |
| 13 |
> In fact, this *does* provide a clearly quantifiable security benefit, in |
| 14 |
> that rsync mirrors and channels of distribution (i.e. DNS servers, |
| 15 |
> routers, etc) need not be trusted. |
| 16 |
|
| 17 |
This and nothing more. Provided you find a secure way for key |
| 18 |
distribution. |
| 19 |
|
| 20 |
> Currently, they must be trusted. So |
| 21 |
> this narrows the Trusted Computing Base down quite a bit |
| 22 |
|
| 23 |
In the whole, this bit is quite small. The code that ends up on a Gentoo |
| 24 |
system comes from millions of indivdual workstations and persons. |
| 25 |
Well organized projects like KDE or the kernel have strict peer review and |
| 26 |
provide signed packages themselves. Others lack both. |
| 27 |
|
| 28 |
> technical, and anyone can see that this benefits security as a result. |
| 29 |
> Now, how much does it benefit? I don't know of a quanta to measure that |
| 30 |
> in. |
| 31 |
|
| 32 |
Neither do I. At least, it closes a central and rather easy attack |
| 33 |
channel, that could be used to hit a lot of Gentoo's users (easy once a |
| 34 |
weakness in rsyncd is discovered). |
| 35 |
|
| 36 |
But take a look here, to see how little this really means: |
| 37 |
http://ftp.gnu.org/MISSING-FILES.README |
| 38 |
|
| 39 |
This could have been used to hit almost every user of free software, and |
| 40 |
no amount of signing by distributors would have changed anything. |
| 41 |
As a consequence GNU started signing their checksums at the level of |
| 42 |
package maintainers. |
| 43 |
But this clearly shows, that signatures provide no real security unless |
| 44 |
everyone in the "food-chain" does their part. |
| 45 |
This is true between projects and inside projects. |
| 46 |
|
| 47 |
Gentoo is almost at the top of the food chain, so their signatures are |
| 48 |
only meaningful if the lower levels do their job properly and Gentoo |
| 49 |
itself makes no mistakes. |
| 50 |
|
| 51 |
Regards |
| 52 |
|
| 53 |
-- |
| 54 |
gentoo-security@g.o mailing list |
Archives