Date: Tue, 02 Jan 2001 09:57:20 -0700 From: Wes Peters <wes@softweyr.com> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Mario Sergio Fujikawa Ferreira <lioux@uol.com.br>, "Michael C . Wu" <keichii@peorth.iteration.net>, ports@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Package signing tools Message-ID: <3A520870.D272B379@softweyr.com> References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <3A4EDCA9.5CEA7114@softweyr.com> <20010101083459.B12422@citusc.usc.edu> <20010101143803.A3416@Fedaykin.here> <3A50C6A8.3E02FAE@softweyr.com> <20010101161001.B3416@Fedaykin.here> <3A50D2B7.5AD86D9E@softweyr.com> <20010102050351.C18277@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
>
> On Mon, Jan 01, 2001 at 11:55:51AM -0700, Wes Peters wrote:
>
> > > > Right. Should checking the signature be the default, with an option to
> > > > skip it, or should it be optional to pkg_add?
> > >
> > > I think that it should be optional for now.
> > > We have an awful amount of non-signed packages floating
> > > around the net. Then, with the next release comes (4.3R or whatever),
> > > this should become the default.
> >
> > I don't see pkg_add refusing to add an unsigned package, since as of yet
> > no signed packages exist. I can see telling the user the package is
> > unsigned and asking if you want to continue, unless -f has been specified.
>
> Ideally, this is how we would do it. But it has the obvious
> bootstrapping problems which have already been noted, which we can get
> around by introducing the warning levels in stages so as not to piss
> everyone off when there's nothing that can be done about it (i.e. no
> signed packages).
>
> We need to think about how this is going to be used by the project,
> too. Packages are built automatically, so they'd need to be signed
> automatically. That puts the signing machine(s) in a (more) dangerous
> position, since not only can an attacker who gains access insert their
> own code and have it signed as legit (presently it would just pass
> unnoted), they can steal the key and make arbitrary signed packages of
> their own independently (if they just break in and steal the key it's
> much more likely to go undetected than if they maintain access to do
> it online). Does this open up legal liability for the FreeBSD Project
> under the new and future regime of digital signature laws in the US
> and abroad, etc?
Or more cleverly yet, they can simply add their own cert to the package
and have the install script append it to the default keyring. Security
of the signing key is the hardest part of any signing scheme, and
requires lots of manual intervention to get right.
One possibility might be to only sign -RELEASE packages and security
related packages, the former signed by the release engineer or the ports
wraith and the latter by the SO.
On the other hand, I think we've come to agreement on what the signing
tools themselves should supply, so I'll get to work on auditing the return
values of pkg_check and having it called by pkg_add and pkg_info if it
is installed on the system. I'll send the maintainer of pkg_version a
heads-up about how to call it as well, I'm not going to go plunging into
some Perl jungle at this moment.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A520870.D272B379>