From owner-freebsd-security@FreeBSD.ORG Sun Jun 22 23:16:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E470F93; Sun, 22 Jun 2014 23:16:25 +0000 (UTC) Received: from mail.openmailbox.org (62-210-83-87.rev.poneytelecom.eu [62.210.83.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2DA5F2F6F; Sun, 22 Jun 2014 23:16:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.openmailbox.org (Postfix) with ESMTP id D2CFB2E0977; Mon, 23 Jun 2014 01:16:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org; h=user-agent:message-id:references:in-reply-to:subject:subject :from:from:date:date:content-transfer-encoding:content-type :content-type:mime-version:received:received; s=openmailbox; t= 1403478980; bh=wou4f6B3Sv+J+4l3Lpp3/IPLxwD0QsIrPcZ0kWAnzBM=; b=W 74I5Z8szoAMnVCiVfyUDOxJBdpjF6pimTYVRvDwQdZ/FUGV6a++vPQId1Hd9tlah 11jzhioEGbDs9syXEp1TLU1lAcxnavchc88fnmdisOFjiGl9W4SOiR5cQ8OtU5DE KrVMfPPCUfdtpUlqv338wg+ImjnNaTxIfpX9s+ojTw= X-Virus-Scanned: at openmailbox.org Received: from mail.openmailbox.org ([127.0.0.1]) by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_xYT-PxvGUi; Mon, 23 Jun 2014 01:16:20 +0200 (CEST) Received: from www.openmailbox.org (localhost [127.0.0.1]) by mail.openmailbox.org (Postfix) with ESMTP id 3F1172E0976; Mon, 23 Jun 2014 01:16:20 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 23 Jun 2014 09:16:20 +1000 From: philj@openmailbox.org To: Chris Nehren Subject: Re: Ports tree insecure because of IGNOREFILES+IGNORE In-Reply-To: <5004359.PqOTrjIgg6@behemoth> References: <5004359.PqOTrjIgg6@behemoth> Message-ID: X-Sender: philj@openmailbox.org User-Agent: Roundcube Webmail/1.0.0 Cc: freebsd-security@freebsd.org, owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jun 2014 23:16:25 -0000 On 2014-06-22 22:40, Chris Nehren wrote: > On Sunday, June 22, 2014 22:31:50 philj@openmailbox.org wrote: >> The IGNOREFILES+IGNORE mechanism allows port maintainers to >> disable checksum checks. I feel that this mechanism is a stain >> on an otherwise fantastic ports system. It reduces user >> confidence in security and makes us all sitting ducks for >> sophisticated adversaries. > > Er. There's nothing stopping a port maintainer from saying > "Sorry, the distfiles aren't fetchable from the master sites any > more, I can host a copy" and then host a malicious distfile. Or > doing any number of simpler things to cause a problem. The > Project doesn't have the resources to audit every single > distfile's code. If you're that paranoid, you're welcome to do > so yourself. Chris, You have a valid point, of course, though in this case I was assuming the port maintainers themselves are trustworthy (just in case you got the impression from my first paragraph that I was painting the port maintainers black). We've seen in the news, at least for Windows, that sophisticated adversaries with man-in-the-middle capabilities are making use of cleartext crash-dump logs, hash collisions (so far only MD5), and weaknesses in the system's update mechanism. I believe the Project does take these threats very seriously, even though superhuman auditing ability is an impractical goal. That's why freebsd-update and portsnap use keys. It's why the vast majority of distinfo files have SHA256 hashes. It's why the /usr/sbin/pkg bootstrapper got blacklisted in versions of FreeBSD that can't verify the signatures. The good news for those who are worried is that all the ports I've mentioned have been marked broken, and the IGNOREFILES+ IGNORE mechanism is now pending removal. Here's a copy of a reply from Baptiste Daroussin (bapt at FreeBSD.org) for those who aren't subscribed to freebsd-ports: ------------------------------------------------------------ All the said port has been marked as broken, the "feature" removal is pending for reviews Thanks for the heads up, I wasn't aware of this "feature" regards, Bapt ------------------------------------------------------------