1 |
On 07 Nov 2004 14:14:28 +0100 |
2 |
Peter Simons <simons@××××.to> wrote: |
3 |
|
4 |
> Fellow Gentoo'ers, |
5 |
> |
6 |
> I have to say that I am shocked by Alexander's posting. Once |
7 |
> more I am forced to recognize that there is a difference |
8 |
> between knowing that an exploit is "theoretically possible" |
9 |
> and _seeing_ the actual exploit implemented in under 50 |
10 |
> lines of code. |
11 |
|
12 |
Sorry if this sounds harsh, but calling this an exploit is ridiculous. If |
13 |
this is an exploit, this is as well: "rm -rf /" |
14 |
Just hack a portage mirror, and add it to some script... |
15 |
As it stands, it is plain FUD. |
16 |
|
17 |
If you download and execute untrusted code you are in danger. This |
18 |
hopefully is common knowledge. |
19 |
Wether you download an ISO-image, an update for Windows or a Portage tree |
20 |
doesn't matter (not to mention the issue of malicous data, that can |
21 |
exploit weaknesses in software...). |
22 |
|
23 |
Either you can trust the source or you have to verify the data. |
24 |
|
25 |
You can trust the source, if you know that: |
26 |
(1) the server has not been compromised |
27 |
(2) your connection has not been compromised (this includes routers, dns, |
28 |
proxies, local lan, your local machine) |
29 |
(3) the server operator is trustworthy |
30 |
(4) the person that originally created the software is trustworthy |
31 |
(5) the server operator's are sufficiently skilled to protect the software |
32 |
(6) the person that originally created the software is suffciently skilled |
33 |
to protect it |
34 |
|
35 |
In the case of Gentoo there are risks mainly at 1 and 5, additionally at |
36 |
2 and maybe 3. |
37 |
5 and especially 6 are general problems of open source |
38 |
|
39 |
However, none of those issues is specific to Gentoo or Open Source as a |
40 |
whole. This is just the nature of a public network. |
41 |
|
42 |
You can verify the data, if: |
43 |
(1) a person has digitally signed the data |
44 |
(2) the person in (1) is trustworthy |
45 |
(3) the person in (1) is suffciently skilled to judge the integrity of |
46 |
data |
47 |
(4) the person in (1) knows how to handle the keys safely |
48 |
(5) the person in (1) has not been compromised |
49 |
(6) you have a secure way to obtain that persons public key |
50 |
(7) you know how to use digital signatures |
51 |
|
52 |
In case of Gentoo 1 is easy. 2 as well; if you don't trust the developers |
53 |
you should not be using Gentoo. |
54 |
3 is plain impossible. There is no possibility of a complete code |
55 |
review. No distributor can do this, so it comes down to the reliability |
56 |
of the individual open source projects. The person who signs the files has |
57 |
to trust the original authors of the software. |
58 |
4 is already difficult. If you have to sign a lot of files each day |
59 |
you become sloppy. This is almost unavoidable. |
60 |
>From an abstracted POV, a public key is just data. So for 6, we are back |
61 |
to "You can trust the source, if:"... |
62 |
|
63 |
> |
64 |
> Having said that, I am even more shocked by the fact that |
65 |
> this problem has been long known! As a user who doesn't like |
66 |
> the idea of giving up control of his machines to random |
67 |
> people on the Internet, I would kindly request a statement |
68 |
> from the Gentoo developers about this. Specifically: |
69 |
> |
70 |
|
71 |
Well, I am no developer, but: |
72 |
> (1) Do you agree that this is a problem? |
73 |
|
74 |
Of course. It is just in *no* way specific to Gentoo. rsync mirrors can be |
75 |
compromised, but so does kernel.org, microsoft.com or any other server. |
76 |
Digital signatures aren't used very often, because they are rather |
77 |
difficult to handle, and can only solve the problem at one level. |
78 |
|
79 |
> |
80 |
> (2) Are there plans for getting it fixed? |
81 |
|
82 |
Ther first step were those "Manifest" files, the second step were signed |
83 |
Manifest files. See the portage-2.0.51 announcement. |
84 |
|
85 |
> |
86 |
> (3) Is there any estimate how long this will take? |
87 |
|
88 |
IMO the purely technical issues have been solved mostly. However, those |
89 |
are smallest and least important part. |
90 |
|
91 |
Remember: All that Gentoo can protect against are attempts to manipulate |
92 |
data on Gentoo's rsync or file mirrors from the outside. Nothing more. |
93 |
They can't protect you from a poorly managed and compromised open source |
94 |
project, from a malicious developer in- or outside Gentoo, from a |
95 |
developer's compromised machine in- or outside Gentoo or from your own |
96 |
mistakes. |
97 |
So a signed Portage tree might improve security, but only against one of |
98 |
many risks. |
99 |
|
100 |
Regards |
101 |
|
102 |
-- |
103 |
gentoo-security@g.o mailing list |