1 |
On Tue, 17 Feb 2004, Brian Klauss wrote: |
2 |
|
3 |
> What I don't understand then is the problem with security of ebuilds. |
4 |
> If we can validate that the MD5 hash is consistent with the published |
5 |
> hash, then the package would be considered secure and case is |
6 |
> effectively closed? |
7 |
> Right? |
8 |
|
9 |
And how do you know the published hash? Are there not entities in the |
10 |
datastream that could alter both the file you download and the MD5 that |
11 |
you download? Especially if, as I think I've seen, emerge gets the MD5 |
12 |
hash from the same source as it gets the source packages. However, even |
13 |
in the case of multiple mirrors, either the primary FTP server could've |
14 |
been cracked, or the datastream could be hijacked at the local ISP, |
15 |
inserting an altered datasream for each file. |
16 |
|
17 |
Using a PGP/GPG signature would reduce the questions of trust down to |
18 |
'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the |
19 |
PGP signature'. Right now, we're also having to trust the primary FTP |
20 |
server, our local mirror, and all the net in between them and us, |
21 |
including our ISP, as they're all placed such that they could substitute |
22 |
alternate versions of both files, and we'd be none the wiser. Some |
23 |
people believe that is perfectly acceptable. Others do not. |
24 |
|
25 |
One could use an X509 sig instead of a PGP sig, although my impression |
26 |
is that fewer people are familiar with those. On the other hand, they |
27 |
do have a more refined chain of trust (at least, if you go with an |
28 |
existing CA rather than your own.) |
29 |
|
30 |
Ed |
31 |
|
32 |
> ----- Original Message ----- |
33 |
> From: "Heikki Levanto" <heikki@×××.dk> |
34 |
> To: <gentoo-security@l.g.o> |
35 |
> Sent: Tuesday, February 17, 2004 1:01 AM |
36 |
> Subject: Re: [gentoo-security] Thoughts on Package Security |
37 |
> |
38 |
> |
39 |
>> On Mon, 2004-02-16 at 22:20, Brian Klauss wrote: |
40 |
>>> Why not take package security one step deeper to ensure the validity |
41 |
>>> of every ebuild and source-tree? |
42 |
>>> |
43 |
>>> Instead of relying upon a master hash of the compressed package, |
44 |
>>> create a hash for each source file, documentation, makefile, etc. |
45 |
>> |
46 |
>> Sorry, I don't see what that would give. If the md5 of the compressed |
47 |
>> archive is fine, then we know already that it has not been tampered |
48 |
>> with. Ergo, all contained files are fine. |
49 |
>> |
50 |
>> (except for the theoretical possibility of md5-sum collision, which is |
51 |
>> unlikely to an astronomical degree, and not worth worrying about in real |
52 |
>> world) |
53 |
>> |
54 |
>> Heikki |
55 |
>> |
56 |
>> -- |
57 |
>> Heikki Levanto LSD - Levanto Software Development <heikki@×××.dk> |
58 |
|
59 |
-- |
60 |
gentoo-security@g.o mailing list |