Security Concern - Open Source Binaries

[Robin H. Johnson]

On Tue, Jun 09, 2009 at 03:23:42PM -0400, Daniel Kahn Gillmor wrote:
> however, most gnu/linux distributions do.  If you want a centralized
> software aggregator who cryptographically signs off on packages at their
> own distribution step, you should install debian or ubuntu (i know they
> do this, through secure apt) or fedora or gentoo (i'm pretty sure they
> do).  I can't speak for other distros.
For Gentoo, if you use the official rsync mirrors (rsync.gentoo.org)
instead of the community mirrors (rsync$N.$CC.gentoo.org), you get one
additional layer of protection, but I'd say that our overall signing
rate isn't as high as I'd like it to be. It varies between 40-80% of
packages as changes are made over time.

> The usual caveats apply, of course: trusting the distro is often the
> same as trusting the weakest link in the chain -- the most sloppy
> developer with commit privileges to the distro, or the most sloppy
> upstream developer, or the least-secured machinery in the chain between
> you and the original developer who wrote the code.
For many distributions, the mirrors are a severe weak point at them
moment:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
The replay is of note, because it does not require defeating a
signature, but only sending old data to prospective attack targets
instead of the latest version.

The CCS2008 and ;login: February 2009 reports are the best ones to read.

The status of Gentoo signing plans are linked from there (disclaimer:
I'm the driving force behind them).

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2 at gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
URL: </pipermail/attachments/20090609/627aafa7/attachment.pgp>