Gentoo Archives: gentoo-security

From: Marc Ballarin <Ballarin.Marc@×××.de>
To: Dan Margolis <dmargoli@××××××××××.edu>
Cc: simons@××××.to, gentoo-security@l.g.o
Subject: Re: [gentoo-security] Is anybody else worried about this?
Date: Sun, 07 Nov 2004 17:34:38
Message-Id: 20041107183443.1beaf80e.Ballarin.Marc@gmx.de
1 On Sun, 07 Nov 2004 11:58:13 -0500
2 Dan Margolis <dmargoli@××××××××××.edu> wrote:
3
4 > Actually, kernel.org *does* sign their downloads; their public key is
5 > available on any of the major TTP PGP servers (from which you download
6 > using SSL signed by a trusted CA who's cert you already have installed
7 > from when you got your computer or whatever). Microsoft at the very
8 > least uses SSL of the same nature, but I suspect they also use digital
9 > signatures on each package to provide the same security; I'm sure the
10 > public key was pre-distributed with your computer.
11
12 They do, but a self-verifying executable, running with administrator
13 privileges is rather pointless. (Of course, the user could right-click and
14 check the properties, but who knows this?)
15 Additionally Microsoft (and probably Redhat) have the advantage of a
16 rather centralised structure. They have tight control over their network
17 and
18 their developers' workstations.
19 OTOH Gentoo's or Debian's developers are spread world-wide, which makes
20 key exchange and evaluation of the security of a developer's personal
21 computer quite difficult.
22
23 >
24 > RedHat provides the same faculty, based on GPG, with up2date.
25
26 The questions are: What are they signing? Have they audited the source
27 code from which they built the RPM? What are their guarantees?
28 (The last question was actually non-rethoric ;-)
29
30 As an example, a few years ago, Microsoft shipped a MSDN CD that contained
31 a virus. It wasn't signed, but had it been, the virus would have been
32 signed as well.
33
34 > So it's not like we're really far behind the 8 ball here, but this *is*
35 > a possible problem, the fix is well understood and implementable, and
36 > some people do already fix it (and, in my opinion, it would be negligent
37 > not to).
38
39 I think that improperly used signatures are a dangerous placebo.
40 Developers have to be well aware of how to treat and use their keys.
41 Users have to be thoroughly educated about the meaning of a signature (ie
42 which guarantees it gives and which it cannot give).
43 If this does not happen, there will be a lot of dangerous
44 misunderstanding and - eventually - bad blood.
45
46 If both - users and developers - are informed, then keys *are* a useful
47 measure that makes operation of mirrors easier and more realiable.
48 But it still does not improve the trust you should have into the software
49 as a whole.
50
51 Regards
52
53 --
54 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Is anybody else worried about this? Dan Margolis <krispykringle@g.o>