Security Concern - Open Source Binaries
Robin H. Johnson
robbat2 at gentoo.org
Tue Jun 9 21:59:35 CEST 2009
On Tue, Jun 09, 2009 at 03:23:42PM -0400, Daniel Kahn Gillmor wrote:
> however, most gnu/linux distributions do. If you want a centralized
> software aggregator who cryptographically signs off on packages at their
> own distribution step, you should install debian or ubuntu (i know they
> do this, through secure apt) or fedora or gentoo (i'm pretty sure they
> do). I can't speak for other distros.
For Gentoo, if you use the official rsync mirrors (rsync.gentoo.org)
instead of the community mirrors (rsync$N.$CC.gentoo.org), you get one
additional layer of protection, but I'd say that our overall signing
rate isn't as high as I'd like it to be. It varies between 40-80% of
packages as changes are made over time.
> The usual caveats apply, of course: trusting the distro is often the
> same as trusting the weakest link in the chain -- the most sloppy
> developer with commit privileges to the distro, or the most sloppy
> upstream developer, or the least-secured machinery in the chain between
> you and the original developer who wrote the code.
For many distributions, the mirrors are a severe weak point at them
The replay is of note, because it does not require defeating a
signature, but only sending old data to prospective attack targets
instead of the latest version.
The CCS2008 and ;login: February 2009 reports are the best ones to read.
The status of Gentoo signing plans are linked from there (disclaimer:
I'm the driving force behind them).
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail : robbat2 at gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 330 bytes
Desc: not available
More information about the Gnupg-devel