1 |
On Mon, Jan 13, 2003 at 01:34:31PM -0500, Dylan Carlson wrote: |
2 |
> [2] Gentoo project managers need to kill off inactive developers, and |
3 |
> regularly hold key-signing parties. |
4 |
|
5 |
This is IMHO difficult since the developers are from all over the world. You |
6 |
would have to have local KSP's, then have a trusted party go over to the |
7 |
other countries (or continents) so that by trusting that party all users can |
8 |
verify the validity of the keys. |
9 |
|
10 |
> Having the developer sign each ebuild before a commit will minimize these |
11 |
> risks. If a dev's box is rooted -- the hacker can commit as many hacks as |
12 |
> they want to the Gentoo CVS tree, but the ebuilds will not be signed, and |
13 |
> consequently will be ignored on the Gentoo clients. |
14 |
> |
15 |
> That is why I'm saying one key sign for the whole tree is a bad idea... |
16 |
|
17 |
It won't harm to have a second signature :) |
18 |
|
19 |
My take on this security-aspect (a possible, but probably paranoid solution): |
20 |
|
21 |
The way in which you trust everything begins at the installation-process of |
22 |
the Gentoo Linux distribution. Do you trust the stage-tarballs or provided |
23 |
Gentoo Linux ISO's? To be able to trust those, you will have to check the |
24 |
validity of these files on your current operating system using some tool |
25 |
(let's say a OpenPGP-supporting client). This /assumes/ you trust your |
26 |
current system. If you do not, all things are invalid. |
27 |
|
28 |
So before the paranoid user installs Gentoo Linux using the ISO or tarballs, |
29 |
it will have to check the validity of those files. So the first "barrier" is |
30 |
a signed .iso or .tgz. Lets say the key is of the Gentoo Developer in charge |
31 |
of releases. The paranoid person downloads the public key from a PKI, checks |
32 |
the fingerprint from several locations (gentoo.org, #gentoo, mirrors, the |
33 |
developer himself (this will make him go nuts, but hey, what are developers |
34 |
for :), ...) and/or see if the key is trusted by someone he trusts. |
35 |
|
36 |
Okay, when this is done, he burns the .iso on the CD (I assume here that he |
37 |
installs it using the CD, if he doesn't, he will have to make sure that his |
38 |
own system provides the same tools as the CD, but this shouldn't be a |
39 |
problem) and boots. |
40 |
|
41 |
The next security-aspect is the security of the livecd. If I am not mistaken |
42 |
there are no daemons on the livecd, and if there are, they should only listen |
43 |
to the localhost address per default. Perhaps a firewall blocking all |
44 |
incoming connections could be used, but this should be done with care. |
45 |
Firewalls are only good if they are configured correctly. If not, they are |
46 |
more harmfull then harmless... |
47 |
|
48 |
When the stage1 tarball is installed, the first thing that is done is an |
49 |
"emerge sync". So here lays the next security issue. We will have to make |
50 |
sure that whatever is downloaded into the Portage tree is trusted. Since the |
51 |
emerge-tool itself is trusted (it is contained on the .iso or .tgz) we could |
52 |
have it check for validity. So one implementation is to have Portage support |
53 |
OpenPGP. Lets say it uses pyme (a Python interface to GPGME) so GnuPG and |
54 |
GPGME are also in stage1 (this increases the download ofcourse). It syncs its |
55 |
tree with the remote mirror. |
56 |
|
57 |
Now there are several ways to implement a secure way of handling the ebuilds, |
58 |
most of them have passed the revue. One way of handling (with many thanks to |
59 |
the ppl that proposed and discussed this): |
60 |
|
61 |
1/ Digitally sign each ebuild. This means that all developers have to sign |
62 |
their ebuilds, and that they manually check every proposed change in the |
63 |
bugzilla. |
64 |
Problems: |
65 |
- This is a very intensive process and still not completely |
66 |
secure. The downloaded files could be malicious (cf. |
67 |
sendmail ftp-server hack) but this is something we can't |
68 |
do anything about. We will have to trust the official |
69 |
ftp-servers of the tools. |
70 |
This also means that all developers' keys are available on the .iso. |
71 |
Portage will have to check the signature of every ebuild he wants to |
72 |
emerge. |
73 |
|
74 |
2/ Implement the proposed timeframe. If a tree has not been updated for over |
75 |
x hours, warn so that the person can re-emerge with another mirror. Use a |
76 |
(one or more) filelist(s) which give the latest mtime of each file or |
77 |
directory. Implement this properly. I personally don't know how rsync |
78 |
works, so I can't elaborate on this any further. Digitally sign these |
79 |
files. Because of the nature of this signing, it should be done |
80 |
automatically (it is impossible to have a developer checkout a cvs tree, |
81 |
create the necessary filelists, signing all of them and then upload the |
82 |
whole tree to the server. This is overkill and imposes lots of new |
83 |
problems). So have the main server (or the CVS server) do this (CVS: only |
84 |
when a tree is pulled out and placed on the FTP, or FTP: only when |
85 |
uploading occurs). |
86 |
Problems: |
87 |
- This assumes we trust the CVS- or FTP-server as we do with |
88 |
www.kernel.org. Leave it this way. Users and developers |
89 |
will soon see if there is something wrong, since the |
90 |
Gentoo Development is very active. If you really want, you |
91 |
can have an audit team regularly check if all current |
92 |
ebuilds on the main server resemble the currect versions |
93 |
of the tools. We should also remove vulnerable ebuilds from |
94 |
the server. If one users sees that there is a vulnerable |
95 |
version, he can report it. |
96 |
Portage will have to check the validity of the filelists with his tree |
97 |
(checking the signature of the filelists in general) and the mtime of the |
98 |
ebuilds he wants to emerge. |
99 |
|
100 |
3/ Have Portage individually register every removal of the Portage tree. If |
101 |
an ebuild has been removed, register it in, f.i. "removed-ebuilds". If for |
102 |
some reason that ebuild is available again, give a warning. |
103 |
Since Gentoo doesn't remove "old" ebuilds, the policy of removing only |
104 |
vulnerable ebuilds or ebuilds that won't work (because the tarball itself |
105 |
is removed) helps in this aspect: ebuilds that return from /dev/null are : |
106 |
- risky (a mirror that provides a vulnerable ebuild) |
107 |
- strange (the previous mirror that removed a non-vulnerable ebuild) |
108 |
The first reason is the reason why this should be implemented. The second |
109 |
reason, well, I really don't know why a hacker would remove a |
110 |
non-vulnerable ebuild if he knows the vulnerable ebuilds are removed as |
111 |
well. But hackers are weird, so even if this happens, this means that |
112 |
there is something "wrong" (CVS- or FTP-server hacked). Don't forget that, |
113 |
if the mirror just provides vulnerable ebuilds (or remove non-vulnerable |
114 |
ebuilds) without having a hacker at service that hacked the CVS- or |
115 |
FTP-server) then the filelists will be out-of-sync and Portage will warn |
116 |
you of that. |
117 |
|
118 |
4/ Make the use of sandbox installs mandatory. Using this sandbox, we can |
119 |
easily trap trojans that are activated during the ./configure-steps, as |
120 |
occur often. |
121 |
|
122 |
I think this is an implementation that has a realistic approach (if what I |
123 |
heard on the mailinglist, that the Gentoo-developers have no problems with |
124 |
signing the ebuilds, is true). This doesn't impose restrictions on who can be |
125 |
a gentoo mirror, which is - in my vision - a good thing. Mirrors shouldn't be |
126 |
restricted; the more the better. |
127 |
|
128 |
This makes the installationprocess rather secure (more than it is now). If |
129 |
you want to secure your installation itself, read the Gentoo Security Guide. |
130 |
|
131 |
Now go ahead and shoot holes in this one :) |
132 |
|
133 |
Wkr, |
134 |
Sven Vermeulen |
135 |
|
136 |
-- |
137 |
Fighting for peace is like fucking for virginity. |