Date: Wed, 30 Nov 2005 13:01:38 -0200 From: "aristeu" <suporte@wahtec.com.br> To: "Kris Kennaway" <kris@obsecurity.org> Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust Message-ID: <008a01c5f5be$f6ff3940$e403000a@rickderringer> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> <20051130000552.GB60924@xor.obsecurity.org> <438D0961.40307@freebsd.org> <20051130032459.GA63255@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Yes and no. Fixing other potential security risks is good, but not if >> it leads users to think that the packages are more trustworthy than they >> really are. In particular, if we started distributing signed packages, >> I suspect that most people would assume that the signatures guaranteed >> that the packages were good, rather than simply ensuring that the >> packages >> hadn't been modified with after they were built. >> >> If we're going to sign anything, we need to ensure not just that we're >> signing what we think we're signing, but also that we're signing what the >> *end users* think that we're signing. > >Seems to me that ignorance and a false sense of security is bad >wherever it appears, so all we can do is try our best to educate users >about what they're getting. I think that with a clear policy the ports and packages could be singned. Something like a banner during installation of a port "This key ensures that this port was made/arranged by an official freebsd port mantainer. The freebsd security team does not take responsability for its contents since it was not scrutinized by them. Good luck!", or, for packages, a similar message saying the package was built on freebsd infrastructure, but the freebsd team don`t take responsability fot its contents, bla, bla... I don't know what kind of authentication with port mantainers do you have, but I think between you guys and the port mantainers must exist some good scheme. This part is OK. now is just the freebsd server and end users part. Sign it with a "ports system" secret key, and a public key pre-installed on clients. The secret key well guarded on ports system core... Simple as that, it can mitigate some problems. I realy dont think signing things ensure that a port or package is secure, but but makes a hell of a better job proving that it came from where it saids it came than loose hashes. Other than that, "security by omission", if exists this, won't solve anything. I know the freebsd-update and portsnap (potsnap I just discovered in this thread) solutions are good. I'm wishing this to be the freebsd standard. I don't wanna push things, and I know things don't work this way. I just wanned to show an end user opinion, on the reflections topic... :) that said, I'm gone.... Thanks and best regards, --aristeu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008a01c5f5be$f6ff3940$e403000a>