Gentoo Archives: gentoo-security

From: Ed Grimm <paranoid@××××××××××××××××××××××.org>
To: Brian Klauss <brklauss@×××××××××.net>
Cc: gentoo-security@l.g.o, Heikki Levanto <heikki@×××.dk>
Subject: Re: [gentoo-security] Thoughts on Package Security
Date: Wed, 18 Feb 2004 07:19:50
Message-Id: Pine.LNX.4.58.0402180149090.27144@ybec.rq.iarg
In Reply to: Re: [gentoo-security] Thoughts on Package Security by Brian Klauss
1 On Tue, 17 Feb 2004, Brian Klauss wrote:
2
3 > What I don't understand then is the problem with security of ebuilds.
4 > If we can validate that the MD5 hash is consistent with the published
5 > hash, then the package would be considered secure and case is
6 > effectively closed?
7 > Right?
8
9 And how do you know the published hash? Are there not entities in the
10 datastream that could alter both the file you download and the MD5 that
11 you download? Especially if, as I think I've seen, emerge gets the MD5
12 hash from the same source as it gets the source packages. However, even
13 in the case of multiple mirrors, either the primary FTP server could've
14 been cracked, or the datastream could be hijacked at the local ISP,
15 inserting an altered datasream for each file.
16
17 Using a PGP/GPG signature would reduce the questions of trust down to
18 'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the
19 PGP signature'. Right now, we're also having to trust the primary FTP
20 server, our local mirror, and all the net in between them and us,
21 including our ISP, as they're all placed such that they could substitute
22 alternate versions of both files, and we'd be none the wiser. Some
23 people believe that is perfectly acceptable. Others do not.
24
25 One could use an X509 sig instead of a PGP sig, although my impression
26 is that fewer people are familiar with those. On the other hand, they
27 do have a more refined chain of trust (at least, if you go with an
28 existing CA rather than your own.)
29
30 Ed
31
32 > ----- Original Message -----
33 > From: "Heikki Levanto" <heikki@×××.dk>
34 > To: <gentoo-security@l.g.o>
35 > Sent: Tuesday, February 17, 2004 1:01 AM
36 > Subject: Re: [gentoo-security] Thoughts on Package Security
37 >
38 >
39 >> On Mon, 2004-02-16 at 22:20, Brian Klauss wrote:
40 >>> Why not take package security one step deeper to ensure the validity
41 >>> of every ebuild and source-tree?
42 >>>
43 >>> Instead of relying upon a master hash of the compressed package,
44 >>> create a hash for each source file, documentation, makefile, etc.
45 >>
46 >> Sorry, I don't see what that would give. If the md5 of the compressed
47 >> archive is fine, then we know already that it has not been tampered
48 >> with. Ergo, all contained files are fine.
49 >>
50 >> (except for the theoretical possibility of md5-sum collision, which is
51 >> unlikely to an astronomical degree, and not worth worrying about in real
52 >> world)
53 >>
54 >> Heikki
55 >>
56 >> --
57 >> Heikki Levanto LSD - Levanto Software Development <heikki@×××.dk>
58
59 --
60 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Thoughts on Package Security will.richey@×××××××××××××.com
Re: [gentoo-security] Thoughts on Package Security J Holder <trs-gml@××××××××××.com>