| 1 |
On 07 Nov 2004 14:14:28 +0100 |
| 2 |
Peter Simons <simons@××××.to> wrote: |
| 3 |
|
| 4 |
> Fellow Gentoo'ers, |
| 5 |
> |
| 6 |
> I have to say that I am shocked by Alexander's posting. Once |
| 7 |
> more I am forced to recognize that there is a difference |
| 8 |
> between knowing that an exploit is "theoretically possible" |
| 9 |
> and _seeing_ the actual exploit implemented in under 50 |
| 10 |
> lines of code. |
| 11 |
|
| 12 |
Sorry if this sounds harsh, but calling this an exploit is ridiculous. If |
| 13 |
this is an exploit, this is as well: "rm -rf /" |
| 14 |
Just hack a portage mirror, and add it to some script... |
| 15 |
As it stands, it is plain FUD. |
| 16 |
|
| 17 |
If you download and execute untrusted code you are in danger. This |
| 18 |
hopefully is common knowledge. |
| 19 |
Wether you download an ISO-image, an update for Windows or a Portage tree |
| 20 |
doesn't matter (not to mention the issue of malicous data, that can |
| 21 |
exploit weaknesses in software...). |
| 22 |
|
| 23 |
Either you can trust the source or you have to verify the data. |
| 24 |
|
| 25 |
You can trust the source, if you know that: |
| 26 |
(1) the server has not been compromised |
| 27 |
(2) your connection has not been compromised (this includes routers, dns, |
| 28 |
proxies, local lan, your local machine) |
| 29 |
(3) the server operator is trustworthy |
| 30 |
(4) the person that originally created the software is trustworthy |
| 31 |
(5) the server operator's are sufficiently skilled to protect the software |
| 32 |
(6) the person that originally created the software is suffciently skilled |
| 33 |
to protect it |
| 34 |
|
| 35 |
In the case of Gentoo there are risks mainly at 1 and 5, additionally at |
| 36 |
2 and maybe 3. |
| 37 |
5 and especially 6 are general problems of open source |
| 38 |
|
| 39 |
However, none of those issues is specific to Gentoo or Open Source as a |
| 40 |
whole. This is just the nature of a public network. |
| 41 |
|
| 42 |
You can verify the data, if: |
| 43 |
(1) a person has digitally signed the data |
| 44 |
(2) the person in (1) is trustworthy |
| 45 |
(3) the person in (1) is suffciently skilled to judge the integrity of |
| 46 |
data |
| 47 |
(4) the person in (1) knows how to handle the keys safely |
| 48 |
(5) the person in (1) has not been compromised |
| 49 |
(6) you have a secure way to obtain that persons public key |
| 50 |
(7) you know how to use digital signatures |
| 51 |
|
| 52 |
In case of Gentoo 1 is easy. 2 as well; if you don't trust the developers |
| 53 |
you should not be using Gentoo. |
| 54 |
3 is plain impossible. There is no possibility of a complete code |
| 55 |
review. No distributor can do this, so it comes down to the reliability |
| 56 |
of the individual open source projects. The person who signs the files has |
| 57 |
to trust the original authors of the software. |
| 58 |
4 is already difficult. If you have to sign a lot of files each day |
| 59 |
you become sloppy. This is almost unavoidable. |
| 60 |
>From an abstracted POV, a public key is just data. So for 6, we are back |
| 61 |
to "You can trust the source, if:"... |
| 62 |
|
| 63 |
> |
| 64 |
> Having said that, I am even more shocked by the fact that |
| 65 |
> this problem has been long known! As a user who doesn't like |
| 66 |
> the idea of giving up control of his machines to random |
| 67 |
> people on the Internet, I would kindly request a statement |
| 68 |
> from the Gentoo developers about this. Specifically: |
| 69 |
> |
| 70 |
|
| 71 |
Well, I am no developer, but: |
| 72 |
> (1) Do you agree that this is a problem? |
| 73 |
|
| 74 |
Of course. It is just in *no* way specific to Gentoo. rsync mirrors can be |
| 75 |
compromised, but so does kernel.org, microsoft.com or any other server. |
| 76 |
Digital signatures aren't used very often, because they are rather |
| 77 |
difficult to handle, and can only solve the problem at one level. |
| 78 |
|
| 79 |
> |
| 80 |
> (2) Are there plans for getting it fixed? |
| 81 |
|
| 82 |
Ther first step were those "Manifest" files, the second step were signed |
| 83 |
Manifest files. See the portage-2.0.51 announcement. |
| 84 |
|
| 85 |
> |
| 86 |
> (3) Is there any estimate how long this will take? |
| 87 |
|
| 88 |
IMO the purely technical issues have been solved mostly. However, those |
| 89 |
are smallest and least important part. |
| 90 |
|
| 91 |
Remember: All that Gentoo can protect against are attempts to manipulate |
| 92 |
data on Gentoo's rsync or file mirrors from the outside. Nothing more. |
| 93 |
They can't protect you from a poorly managed and compromised open source |
| 94 |
project, from a malicious developer in- or outside Gentoo, from a |
| 95 |
developer's compromised machine in- or outside Gentoo or from your own |
| 96 |
mistakes. |
| 97 |
So a signed Portage tree might improve security, but only against one of |
| 98 |
many risks. |
| 99 |
|
| 100 |
Regards |
| 101 |
|
| 102 |
-- |
| 103 |
gentoo-security@g.o mailing list |
Archives