1 |
Ed Grimm said: |
2 |
> On Tue, 17 Feb 2004, Brian Klauss wrote: |
3 |
> |
4 |
>> What I don't understand then is the problem with security of ebuilds. |
5 |
>> If we can validate that the MD5 hash is consistent with the published |
6 |
>> hash, then the package would be considered secure and case is |
7 |
>> effectively closed? |
8 |
>> Right? |
9 |
> |
10 |
> And how do you know the published hash? Are there not entities in the |
11 |
> datastream that could alter both the file you download and the MD5 that |
12 |
> you download? Especially if, as I think I've seen, emerge gets the MD5 |
13 |
> hash from the same source as it gets the source packages. However, even |
14 |
> in the case of multiple mirrors, either the primary FTP server could've |
15 |
> been cracked, or the datastream could be hijacked at the local ISP, |
16 |
> inserting an altered datasream for each file. |
17 |
> |
18 |
> Using a PGP/GPG signature would reduce the questions of trust down to |
19 |
> 'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the |
20 |
> PGP signature'. Right now, we're also having to trust the primary FTP |
21 |
> server, our local mirror, and all the net in between them and us, |
22 |
> including our ISP, as they're all placed such that they could substitute |
23 |
> alternate versions of both files, and we'd be none the wiser. Some |
24 |
> people believe that is perfectly acceptable. Others do not. |
25 |
> |
26 |
> One could use an X509 sig instead of a PGP sig, although my impression |
27 |
> is that fewer people are familiar with those. On the other hand, they |
28 |
> do have a more refined chain of trust (at least, if you go with an |
29 |
> existing CA rather than your own.) |
30 |
|
31 |
I tend to agree with this point. So far extreme vigilance on the part of |
32 |
the gentoo admins protected us from a potential problem when there was |
33 |
previously a breakin. But in the long run, PGP or some similar |
34 |
alternative would be a whole lot safer. |
35 |
|
36 |
The really big issue is getting that kind of infrastructure in place. Do |
37 |
we have each gentoo dev sign the files he/she is responsible for? I think |
38 |
we can dismiss the possibility of using one key to sign everything. Maybe |
39 |
a key for each software group would be feasible? |
40 |
|
41 |
|
42 |
-- |
43 |
gentoo-security@g.o mailing list |