1 |
* Eivind Tagseth (eivindt-gentoo@××××××××.no) wrote: |
2 |
> Date: Thu, 25 Mar 2004 10:08:20 +0100 |
3 |
> From: Eivind Tagseth <eivindt-gentoo@××××××××.no> |
4 |
> To: Gentoo Developers <gentoo-dev@l.g.o> |
5 |
> User-Agent: Mutt/1.5.6i |
6 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
7 |
> Subject: Re: [gentoo-dev] Redux: 2004.1 will not include a secure portage. |
8 |
> |
9 |
> * John Nilsson <john@×××××××.nu> [2004-03-25 09:24:37 +0100]: |
10 |
> > If a patch is signed, with a good signature, does that mean that the |
11 |
> > signers has audited the patch for security holes? |
12 |
> > |
13 |
> > What is to say that the source compiled with an ebuild is not |
14 |
> > compromised? |
15 |
> |
16 |
> These are the two situations that worry _me_ the most: |
17 |
> |
18 |
> 1. A package source code is compromised at the main distribution |
19 |
> site (or one of it's mirrors). |
20 |
> |
21 |
> This has happened in the past and if I remember correctly, |
22 |
> Gentoo linux was able to discover at least one such trojan. |
23 |
> The source code had been tampered with, but fortunately, the |
24 |
> ebuild digest of that package was able to notice that. This |
25 |
> was pure luck, since if the ebuild developer had made his |
26 |
> digest _after_ the source code had been compromised, we'd all |
27 |
> be running trojans today (well, maybe). |
28 |
> |
29 |
> Having the ebuild developer _sign_ the digest wouldn't help |
30 |
> at all. If the original author of the source code had a source |
31 |
> code signature, then if gentoo had a mechanism to verify that, |
32 |
> then it would have helped. |
33 |
> |
34 |
|
35 |
Code review is only way to stop this most of the time. The other side of it is that many projects provide gpg sigs of the source. one could incorporate that as well into the distribution. Which would catch and post signing mods. Again not gonna detect anything thats gotten in there during that projects dev cycle. |
36 |
|
37 |
Aside from every piece of code going through review i think you gotta just accept this risk and make a system that can easly invalidate any package that may be discovered after the fact, and incorporates the security thats provided by the author (usually a gpg sig). |
38 |
|
39 |
|
40 |
> 2. An gentoo rsync mirror is compromised. |
41 |
> |
42 |
> There are loads of mirrors, and no way to know how secure each |
43 |
> of them are. A compromised mirror may cause a lot of damage. |
44 |
> If all ebuilds were signed, then such a security breach wouldn't |
45 |
> be much of a threat. |
46 |
|
47 |
yup esp with 1+N sigs etc. (/me beats dead horse) |
48 |
|
49 |
|
50 |
> |
51 |
> Eivind |
52 |
> |
53 |
> |
54 |
> |
55 |
> -- |
56 |
> gentoo-dev@g.o mailing list |
57 |
> |
58 |
> |
59 |
|
60 |
-- |
61 |
gentoo-dev@g.o mailing list |