Date: Mon, 31 Aug 2015 19:19:28 -0700 From: Peter Wemm <peter@wemm.org> To: "Julian H. Stacey" <jhs@berklix.com> Cc: ctm-users@freebsd.org Subject: Re: Future of CTM Message-ID: <2133149.u1BgRHIO00@overcee.wemm.org> In-Reply-To: <201509010020.t810Ja3j063872@fire.js.berklix.net> References: <201509010020.t810Ja3j063872@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6415575.lBiqbpKrKv Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Tuesday, September 01, 2015 02:19:36 AM Julian H. Stacey wrote: > Peter Wemm wrote: > > I'm torn about how much to say in public, but there are a couple of= > > problems. > ... > Thanks for the analysis Peter. >=20 > Before we go deeper, might there by chance be a frustrated SOC > student whose project fizzled out & who might grasp CTM as a > replacement/ top up project ? Or students coming to end of summer > project thinking "That was fun! What next to hack ?" > http://lists.freebsd.org/pipermail/soc-status/2015-August/date.html= > Perhaps not very likely but might be worth checking, as your post > nicely describes the remit. I have been trying to find an example of somebody who is actually verif= ying=20 signatures before piping the messages to to ctm_rmail. Even the procma= ilrc=20 files that you publish at http://www.berklix.com/jhs/txt/ctms.html don'= t do=20 signature checking. From your own pages: # JJLATER add a check for pgp signature, ref. # http://www.freebsd.org/handbook/synching.html#CTM I did find one person who gpg verified the files he downloaded from ftp= and=20 posted about a corrupted file: https://lists.freebsd.org/pipermail/ctm-users/2012-December/000376.html= but even then it was a check to see if it was signed by *somebody*, rat= her=20 than signed by the pgp key listed on the mailman info pages. Even the= n, I'd=20 bet he only did the gpg check as a diagnostic after the ctm run failed I actually went looking for sample scripts for how to do this all safel= y and=20 there was nothing obvious that turned up in likely searches. There's some hints about how to do specific key verification here:=20 http://stackoverflow.com/a/19016152 but note the caveat about it needing to be a pubkey.gpg, not pubkey.asc= . I'd wager that few people (if anybody) are actually doing proper signin= g key=20 verification of the email feed, and are therefore completely vulnerable= to=20 mischief. Relying on the ctm-*@freebsd.org email list protection is *n= ot*=20 sufficient for this, but I would rather not talk about specifics just y= et. My biggest concern is that there is a vast quantity of published docume= ntation=20 advising people to do dangerous things, with the "oh by the way, and yo= u=20 probably should protect youself" aspect left as an exercise for the rea= der as=20 an afterthought. We can't retroactively recall all the bad advice so the only real optio= n is to=20 break the old dangerous ways and give corrected instructions on how to = do it=20 safely. Make it so that you *need* the script that verifies signatures= before=20 decoding it and sending the delta to ctm_rmail. It should be a choice = to opt- out of being safe, not something you have to research and implement you= rself=20 to opt-in. That's what lead to my current thinking. Would this effort be well spe= nt? I'm=20 not convinced that it is, but I wouldn't stop somebody from doing the r= efresh=20 work. I'm wondering whether to ask Stephen to switch away from detached signa= tures=20 to help force the issue. ie: replace the "ctm-*.nnnn.xz" + "ctm- *.nnnn.xz.sig" files with "ctm-*.nnnn.xz.gpg" so that gpg is needed to = decode=20 it and at least have the signature status presented right there at deco= de=20 time. Likewise for the email deltas, sign and encode the deltas rather= than=20 clearsign - that forces it to be run through gpg in front of ctm_rmail.= A=20 script to check that its signed by the *right* keys would need to be wr= itten=20 and published for that to be worth anything though. (Processing a ctm = email=20 packet with a valid signature by evilguy@terrorist.org is no safer than= =20 accepting unsigned things) However, at the very least, I still want to move the ctm files from=20 ftp://ftp.freebsd.org to something like ftp://ctm.freebsd.org because o= f the=20 crawler issue. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart6415575.lBiqbpKrKv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJV5QswAAoJEDXWlwnsgJ4EBrcIALTvrvT1gmomTHCF1psG4hf0 I0bEyXaV/d8lZEh0kq4Tx0pH4FXIjuCfCfjYinN9Z/J7oT+k4k0x4vnO8nP7rsYq qlGaNQY6XoavZVh7Farj0tvP992kMUxQgGjzDVQH59yyHUtPiqHCdNZRkzCIaXIg U2vtP6oeYQIBApAw/z9cxEa9QMTstj0R3+QtTjI9tesWFjS9KLxP1pYAKLqutmAa OFTB/gNcCquMs9wmMNID30Uomhw8L/RFI/0eyX62nqC9wSQldLreZ0FuyaQJ47xT f3HzfW2jKv9BTxUWD1NOTi6hOpD8ixL8xpfZUGd4QW/pKSSUlfUE9LCC5zM46eM= =VB+4 -----END PGP SIGNATURE----- --nextPart6415575.lBiqbpKrKv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2133149.u1BgRHIO00>