1 |
I am not officially part of the Gentoo project, so my reply on your mail |
2 |
should not be concidered an official statement from the Gentoo Developers |
3 |
nor from the Gentoo community. |
4 |
|
5 |
> I'm currently working on a feature article on package security. As |
6 |
> there's been yet another CERT advisory |
7 |
> (http://www.cert.org/advisories/CA-2002-28.html) concerning already |
8 |
> widely distributed packages that containted a trojan horse, I'm |
9 |
> contacting several major Linux distributors with the following |
10 |
> questions: |
11 |
> |
12 |
> - How do you make sure, your distribution doesn't contain packages |
13 |
> modified by people unauthorized to do so? |
14 |
|
15 |
Well, if one have such a strategy how can one be absolutely sure people |
16 |
authoriezed to modify packages have pure intentions? At some level one |
17 |
just will have to relay on something / others. It is not possible or at |
18 |
least not effective to reinvent wheels every day. |
19 |
|
20 |
On this mailinglist we've had discussions about pgp-signed ebuilds. Then |
21 |
atleast one can trace security-issues back to spesific signatures and make |
22 |
sure that the source is from whom it claims to be. But secure |
23 |
authentification is not easy to set up and not between people not knowing |
24 |
eachother in person. Two people knowing eachother can easily and securly |
25 |
exchange public-keys this way: Person A generates a crypto-key-pair |
26 |
(private and public, where private key can decrypt messages encrypted with |
27 |
the public key and private key can sign messages, which signature could be |
28 |
verifyed by the public key,) as I said person A generates a |
29 |
crypto-key-pair and sends the public-key to person B by email. At the time |
30 |
B receives this (s)he cannot be 100% sure the key (s)he received in the |
31 |
mail is the key of which A sent. (A person C can teoretically replace the |
32 |
key with an man-in-the-middle-strategy replacing As key while it is |
33 |
transported via other computers from A to B.) So B should now have a phone |
34 |
call with A, and recognize A by voice. When A read her/his publickey's |
35 |
fingerprint to B, B can verify that this indeed is A's public key. Now B |
36 |
can generate a key-pair, encrypt her/his public-key with A's public-key |
37 |
and thus only persons having access to A's private-key can export B's |
38 |
public-key. A can then verify B's key by decryption. - Okey .. but what if |
39 |
A and B do not know eachother .. then they cannot be sure the person they |
40 |
meet in reallife is the great programmer they've talked with on the |
41 |
internett, and well .. if the can, and even if they know eachother .. how |
42 |
can they be absolutely sure the other is not a blackhat or a greyhat? |
43 |
|
44 |
Hmm .. so .. signed ebuilds cannot make sure that all code is free of |
45 |
backdoors and security-bobos. Nevertheless it might make it harder for a |
46 |
blackhat to place dirty code somewhere in the name of someone else, but |
47 |
when uploading I belive the user must verify her-/himself by username and |
48 |
password, which should be kept secret and changed often. And I am not sure |
49 |
there is more security or so much more security as there is work into |
50 |
implementing and maintaining such a system. |
51 |
|
52 |
I believe the gentoo-portage is "secured" this way: |
53 |
|
54 |
1) Only authorized users are allowed to change/update ebuilds in the live |
55 |
tree |
56 |
2) There is some sort of criteria to sort out who's authorized and not |
57 |
3) The criteria in 2 ensures that the persons allowed to change/update |
58 |
portage, they will act to best of the Gentoo community. |
59 |
4) The group of users allowed to apply changes/updates are kept quite |
60 |
small so that it is easier to find a wolf when there is one. |
61 |
5) All mirrors are updated from a centralized server. |
62 |
6) All users download the portage-three with package-checksums from one |
63 |
server and package-source most likely not from the same mirror. (Hmm.. |
64 |
when one does download it from the same mirror it's possible to both |
65 |
change the checksum and the source, but when someone downloads it from two |
66 |
different servers the checksum will not match the source if the source or |
67 |
the checksum is tampered with. - Thus it should be considered important |
68 |
that users immidately informs the community ASAP when they discover such |
69 |
an error. - Emerge denies to continue merging the package into the system |
70 |
before that package-source matches the checksum.) |
71 |
|
72 |
This security-model ensures (more or less) that the user have the same |
73 |
source as the package developer, but - it does not ensure that the source |
74 |
the package-developer has is free of security vulnerabilities. If one |
75 |
should be able to controll that it would require that each |
76 |
ebuild-developer had a holoistic picture containing the whole set of code |
77 |
a program and program it interacts with have, and aswell require that the |
78 |
developer will computer security, and has enough understanding and |
79 |
knowlege. For smaller programs it might be close to possible to do this, |
80 |
but for lager things (i.e. most packages) it would require huge resources, |
81 |
and then a rotten apple among many good apples is enough ... :( |
82 |
|
83 |
What I say is that I am not sure if we ever can make sure computers really |
84 |
are a safe medium and that the computer does nothing but what we'd like it |
85 |
to do. Of cource I could program my own computer (say that I trust some |
86 |
vendors to make the hardware) I could write my very own operating system, |
87 |
but then it would most likely not interact too well with other computers |
88 |
(or well .. it would make a huge potensial security-risk.) This of course |
89 |
is very paranoid and not practical either. |
90 |
|
91 |
> - If your company uses mirrors to distribute single packages and |
92 |
> updates, how do you make sure nobody tampers with the packages on those |
93 |
> mirrors? There are mechanisms to ensure package integrity (e.g. MD5Sum) |
94 |
> - are these used for all packages or only for ISO images (if you use |
95 |
> ISOs at all)? |
96 |
|
97 |
All ebuilds (packages) are equiped with a checksum-file with filesize and |
98 |
md5sum. When a user have downloaded the source-files, emerge validates |
99 |
them before it contiunes, compile and install the packages. |
100 |
|
101 |
|
102 |
Regards, |
103 |
Christian Skarby |