1 |
On Fri, 2006-05-19 at 15:13 +0100, Chris Bainbridge wrote: |
2 |
> There are now several hundred gentoo developers. It is more likely |
3 |
> that one of them has a security lapse than cvs.gentoo.org. |
4 |
One is a "local" bug, the other one "global". |
5 |
I'd prefer a system that is resilient against two devs going crazy - |
6 |
right now the "right" persons could stage a manipulation that would be |
7 |
hard to detect and where your (single central) signature fails quite |
8 |
nicely. |
9 |
|
10 |
> It is a single signature across the entire portage tree. It means that |
11 |
> after rsync emerge can check the signature against the retrieved tree |
12 |
> to validate the whole tree (or overlay). |
13 |
It's very coarse - Yes / No |
14 |
Doesn't tell you what failed how ... so I DoS it by inserting one bit on |
15 |
any rsync mirror and it will "fail". You don't know what fails where ... |
16 |
|
17 |
> Instead of guessing performance, test it. We can assume that disk |
18 |
> activity is negligible - we have a dedicated server, and the portage |
19 |
> tree is ~115MB, so most of it will be cached in main memory. In |
20 |
> particular there is no disk seek latency. To simulate that we can |
21 |
> gather everything into a single file (which also has the side effect |
22 |
> of pulling into the cache) and then gpg sign that file: |
23 |
> |
24 |
> find /usr/portage -path '/usr/portage/metadata' -prune -o -path |
25 |
> '/usr/portage/distfiles' -prune -o -path '/usr/portage/packages' |
26 |
> -prune -o -type f -exec cat {} > /tmp/blah \; |
27 |
> time gpg --detach-sign -a /tmp/blah |
28 |
> |
29 |
> I get 1.5 seconds on a desktop and 6.5 seconds on a laptop. |
30 |
ok |
31 |
|
32 |
> > > The benefits of this would be that changes are minimised - developers |
33 |
> > > and users act the same, the impact on the tree is a 191 byte |
34 |
> > > signature, and yet it will protect against the most likely and most |
35 |
> > > practical form of attack. |
36 |
> > So ... DoS scenario |
37 |
> > I just add one byte to the tree and the signature fails ... what then? |
38 |
> |
39 |
> Emerge informs the user that the rsync server has been corrupted and |
40 |
> terminates. How would this be any different with distributed file |
41 |
> signing? |
42 |
You can't upgrade and you don't know what fails where ... |
43 |
|
44 |
> You have to rsync the entire tree, and then verify it - at |
45 |
> that point the tree is already corrupt. Ideally overlayfs (or just |
46 |
> plain old keeping a backup) could be used to restore the pre-sync |
47 |
> tree. |
48 |
Right, but ... what caused the error? |
49 |
|
50 |
> It could be done in stages. Start with the (easier) central key, then |
51 |
> later add distributed keys. I think a hybrid system would be the ideal |
52 |
> system, but realistically, bug #5902 has been around since March 2003 |
53 |
> and no real progress has been made. |
54 |
That bug appears quite unrelated to me ... how does FEATURES="userpriv" |
55 |
relate to signing? |
56 |
|
57 |
> The main sticking point seems to |
58 |
> be disagreements over key management and policies. I would hope that |
59 |
> most people could agree that a single key with a post-commit signing |
60 |
> is better than what we have now, |
61 |
debatable |
62 |
> and could be easily implemented, |
63 |
yes |
64 |
> whilst leaving open the option of a hybrid system implementation at a |
65 |
> later date. |
66 |
yes |
67 |
|
68 |
but that's not a cure. You'd have to sign _each file_ to get a |
69 |
reasonable tampering detection, or at least per-directory. You add a |
70 |
single point of failure and give attackers a high-profile target. |
71 |
|
72 |
It's like security checks at the airport: It gives you the illusion of |
73 |
security, it inconveniences everybody ... and it's easier for me to |
74 |
smuggle a bomb aboard because noone thinks it's possible. (It's easy, |
75 |
use a sidechannel attack on the baggage transports, they have bad |
76 |
security ...) |
77 |
|
78 |
Patrick |
79 |
-- |
80 |
Stand still, and let the rest of the universe move |