| 1 |
Ed Grimm said: |
| 2 |
> On Tue, 17 Feb 2004, Brian Klauss wrote: |
| 3 |
> |
| 4 |
>> What I don't understand then is the problem with security of ebuilds. |
| 5 |
>> If we can validate that the MD5 hash is consistent with the published |
| 6 |
>> hash, then the package would be considered secure and case is |
| 7 |
>> effectively closed? |
| 8 |
>> Right? |
| 9 |
> |
| 10 |
> And how do you know the published hash? Are there not entities in the |
| 11 |
> datastream that could alter both the file you download and the MD5 that |
| 12 |
> you download? Especially if, as I think I've seen, emerge gets the MD5 |
| 13 |
> hash from the same source as it gets the source packages. However, even |
| 14 |
> in the case of multiple mirrors, either the primary FTP server could've |
| 15 |
> been cracked, or the datastream could be hijacked at the local ISP, |
| 16 |
> inserting an altered datasream for each file. |
| 17 |
> |
| 18 |
> Using a PGP/GPG signature would reduce the questions of trust down to |
| 19 |
> 'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the |
| 20 |
> PGP signature'. Right now, we're also having to trust the primary FTP |
| 21 |
> server, our local mirror, and all the net in between them and us, |
| 22 |
> including our ISP, as they're all placed such that they could substitute |
| 23 |
> alternate versions of both files, and we'd be none the wiser. Some |
| 24 |
> people believe that is perfectly acceptable. Others do not. |
| 25 |
> |
| 26 |
> One could use an X509 sig instead of a PGP sig, although my impression |
| 27 |
> is that fewer people are familiar with those. On the other hand, they |
| 28 |
> do have a more refined chain of trust (at least, if you go with an |
| 29 |
> existing CA rather than your own.) |
| 30 |
|
| 31 |
I tend to agree with this point. So far extreme vigilance on the part of |
| 32 |
the gentoo admins protected us from a potential problem when there was |
| 33 |
previously a breakin. But in the long run, PGP or some similar |
| 34 |
alternative would be a whole lot safer. |
| 35 |
|
| 36 |
The really big issue is getting that kind of infrastructure in place. Do |
| 37 |
we have each gentoo dev sign the files he/she is responsible for? I think |
| 38 |
we can dismiss the possibility of using one key to sign everything. Maybe |
| 39 |
a key for each software group would be feasible? |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-security@g.o mailing list |
Archives