From owner-freebsd-security@FreeBSD.ORG Tue Nov 29 18:33:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA57916A41F for ; Tue, 29 Nov 2005 18:33:57 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail08.syd.optusnet.com.au (mail08.syd.optusnet.com.au [211.29.132.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E68343D58 for ; Tue, 29 Nov 2005 18:33:56 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail08.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id jATIXqZH013785 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 30 Nov 2005 05:33:54 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id jATIXqHh033597; Wed, 30 Nov 2005 05:33:52 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jATIXpK5033596; Wed, 30 Nov 2005 05:33:51 +1100 (EST) (envelope-from pjeremy) Date: Wed, 30 Nov 2005 05:33:51 +1100 From: Peter Jeremy To: aristeu Message-ID: <20051129183351.GB32006@cirb503493.alcatel.com.au> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002601c5f4fa$b5115320$e403000a@rickderringer> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 18:33:57 -0000 On Tue, 2005-Nov-29 13:36:31 -0200, aristeu wrote: >I think the only problem that exists is the package/ports deployment. I >belive we can't trust only on hashes for this (tar already does a fine job >on integrity...), because it can be easily circunvented. Can you explain what you mean here. Virtually all distfiles needed to build a port have MD5 and maybe SHA-256 hashes embedded in the ports tree. The only way to easily circumvent these is to subvert the ports tree - which gets back to the issue of trusting the FreeBSD distribution. I agree that there's currently no integrity checking on packages. (And, BTW, tar has no integrity checks). >One thing that could do a good job is default install gnupg and pre-install >some important pgp public keys on ISOs releases, on root's profile... ... >My mom used to say "always prefer the pre-installed pub keys...". I don't believe this solves anything. The biggest problem is ensuring that you can trust your initial keyring or root certificate collection. Putting "trusted" keys on an ISO only gives you circular trust - you trust that the ISO image came from the people who made it. There's no easy way to verify that it came from the FreeBSD Project. The FreeBSD project also discourages the inclusion of GPL code in the base system, making gnupg unattractive as a base system candidate. Finally, PGP does not have the concept of "important" keys - this is closer to the X.509 model. The base system already includes tools for handling X.509 signatures (openssl) and there is already a collection of X.509 keys embedded in the ports system (security/ca-roots). -- Peter Jeremy