From owner-ctm-users@freebsd.org Tue Sep 1 02:19:36 2015 Return-Path: Delivered-To: ctm-users@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF0DB9C6822 for ; Tue, 1 Sep 2015 02:19:36 +0000 (UTC) (envelope-from peter@wemm.org) Received: from smtp2.wemm.org (smtp2.wemm.org [IPv6:2001:470:67:39d::78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CFDFE6B2 for ; Tue, 1 Sep 2015 02:19:36 +0000 (UTC) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (canning.wemm.org [192.203.228.65]) by smtp2.wemm.org (Postfix) with ESMTP id 157051F7; Mon, 31 Aug 2015 19:19:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1441073974; bh=sqQ56htX6nX7yvuHNXibfNqEQj4fpxvLTc0zHLHkqX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=RciVaj9tpgMgkhJsPp9wMF6McuganENiKnWpZVjmxti0FFP0D/8Y54vFNad9VHEEI so0bOoemTY6bSPLETEAHlwpishqskuRpbEjxKhvaGJmJeO+akdOd4w37tPDjMnRxOF HV+cQGxC8nZwZ7GqYU02BUe48HxziYCyqExJ00UE= From: Peter Wemm To: "Julian H. Stacey" Cc: ctm-users@freebsd.org Subject: Re: Future of CTM Date: Mon, 31 Aug 2015 19:19:28 -0700 Message-ID: <2133149.u1BgRHIO00@overcee.wemm.org> User-Agent: KMail/4.14.3 (FreeBSD/11.0-CURRENT; KDE/4.14.3; amd64; ; ) In-Reply-To: <201509010020.t810Ja3j063872@fire.js.berklix.net> References: <201509010020.t810Ja3j063872@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6415575.lBiqbpKrKv"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-BeenThere: ctm-users@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: CTM User discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2015 02:19:37 -0000 --nextPart6415575.lBiqbpKrKv Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Tuesday, September 01, 2015 02:19:36 AM Julian H. Stacey wrote: > Peter Wemm wrote: > > I'm torn about how much to say in public, but there are a couple of= > > problems. > ... > Thanks for the analysis Peter. >=20 > Before we go deeper, might there by chance be a frustrated SOC > student whose project fizzled out & who might grasp CTM as a > replacement/ top up project ? Or students coming to end of summer > project thinking "That was fun! What next to hack ?" > http://lists.freebsd.org/pipermail/soc-status/2015-August/date.html= > Perhaps not very likely but might be worth checking, as your post > nicely describes the remit. I have been trying to find an example of somebody who is actually verif= ying=20 signatures before piping the messages to to ctm_rmail. Even the procma= ilrc=20 files that you publish at http://www.berklix.com/jhs/txt/ctms.html don'= t do=20 signature checking. From your own pages: # JJLATER add a check for pgp signature, ref. # http://www.freebsd.org/handbook/synching.html#CTM I did find one person who gpg verified the files he downloaded from ftp= and=20 posted about a corrupted file: https://lists.freebsd.org/pipermail/ctm-users/2012-December/000376.html= but even then it was a check to see if it was signed by *somebody*, rat= her=20 than signed by the pgp key listed on the mailman info pages. Even the= n, I'd=20 bet he only did the gpg check as a diagnostic after the ctm run failed I actually went looking for sample scripts for how to do this all safel= y and=20 there was nothing obvious that turned up in likely searches. There's some hints about how to do specific key verification here:=20 http://stackoverflow.com/a/19016152 but note the caveat about it needing to be a pubkey.gpg, not pubkey.asc= . I'd wager that few people (if anybody) are actually doing proper signin= g key=20 verification of the email feed, and are therefore completely vulnerable= to=20 mischief. Relying on the ctm-*@freebsd.org email list protection is *n= ot*=20 sufficient for this, but I would rather not talk about specifics just y= et. My biggest concern is that there is a vast quantity of published docume= ntation=20 advising people to do dangerous things, with the "oh by the way, and yo= u=20 probably should protect youself" aspect left as an exercise for the rea= der as=20 an afterthought. We can't retroactively recall all the bad advice so the only real optio= n is to=20 break the old dangerous ways and give corrected instructions on how to = do it=20 safely. Make it so that you *need* the script that verifies signatures= before=20 decoding it and sending the delta to ctm_rmail. It should be a choice = to opt- out of being safe, not something you have to research and implement you= rself=20 to opt-in. That's what lead to my current thinking. Would this effort be well spe= nt? I'm=20 not convinced that it is, but I wouldn't stop somebody from doing the r= efresh=20 work. I'm wondering whether to ask Stephen to switch away from detached signa= tures=20 to help force the issue. ie: replace the "ctm-*.nnnn.xz" + "ctm- *.nnnn.xz.sig" files with "ctm-*.nnnn.xz.gpg" so that gpg is needed to = decode=20 it and at least have the signature status presented right there at deco= de=20 time. Likewise for the email deltas, sign and encode the deltas rather= than=20 clearsign - that forces it to be run through gpg in front of ctm_rmail.= A=20 script to check that its signed by the *right* keys would need to be wr= itten=20 and published for that to be worth anything though. (Processing a ctm = email=20 packet with a valid signature by evilguy@terrorist.org is no safer than= =20 accepting unsigned things) However, at the very least, I still want to move the ctm files from=20 ftp://ftp.freebsd.org to something like ftp://ctm.freebsd.org because o= f the=20 crawler issue. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart6415575.lBiqbpKrKv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJV5QswAAoJEDXWlwnsgJ4EBrcIALTvrvT1gmomTHCF1psG4hf0 I0bEyXaV/d8lZEh0kq4Tx0pH4FXIjuCfCfjYinN9Z/J7oT+k4k0x4vnO8nP7rsYq qlGaNQY6XoavZVh7Farj0tvP992kMUxQgGjzDVQH59yyHUtPiqHCdNZRkzCIaXIg U2vtP6oeYQIBApAw/z9cxEa9QMTstj0R3+QtTjI9tesWFjS9KLxP1pYAKLqutmAa OFTB/gNcCquMs9wmMNID30Uomhw8L/RFI/0eyX62nqC9wSQldLreZ0FuyaQJ47xT f3HzfW2jKv9BTxUWD1NOTi6hOpD8ixL8xpfZUGd4QW/pKSSUlfUE9LCC5zM46eM= =VB+4 -----END PGP SIGNATURE----- --nextPart6415575.lBiqbpKrKv--