From owner-freebsd-stable@FreeBSD.ORG Mon Nov 17 06:18:32 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7325216A4CE for ; Mon, 17 Nov 2003 06:18:32 -0800 (PST) Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by mx1.FreeBSD.org (Postfix) with SMTP id 7914343F3F for ; Mon, 17 Nov 2003 06:18:30 -0800 (PST) (envelope-from jake@iki.fi) Received: (qmail 52658 invoked by uid 11053); 17 Nov 2003 14:19:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Nov 2003 14:19:03 -0000 Date: Mon, 17 Nov 2003 16:19:03 +0200 (EET) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Carol Overes In-Reply-To: <20031117140240.41031.qmail@web20710.mail.yahoo.com> Message-ID: <20031117161033.X35508@trillian.santala.org> References: <20031117140240.41031.qmail@web20710.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-stable@freebsd.org Subject: Re: Secure updating of OS and ports X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 14:18:32 -0000 On Mon, 17 Nov 2003, Carol Overes wrote: > I'm looking for a way to update in a secure manner my > kernel, binaries and anything from the ports > collection. > > I'm thinking of updating kernel and binaries with > patches form ftp.freebsd.org which are siganed with > the PGP key of the security officers. However, this > has to be hand-made patching. Does anyone know a > secure way via for example cvsup ? > > Also, I'm looking for a secure way to update ports > applications. How can I check that patches for ports > doesn't contain any trojans for example, or are coming > from the original source. > > Any thoughts about his ? I was thinking about this same problem myself not too long ago. What I came up with was that all the related files could have md5sums (as the distfiles already do) and these md5sum files would be signed by a trusted entity and by default the Makefiles would check the md5sum signatures, the md5sums themselves and refuse to do anything unless it all checks out. While that would work great for ports, the actual source tree could be a problem. If all files would have associated md5sums which would all be checked during compilation, it might make the whole process unbearably slow on slow machines. Although then there might be a switch to disable the checking to increase speed at the cost of security. Also there's the problem of locating the entity that would check all the source code both in src and ports before signing. Of course the ports could be signed by maintainers using a method provided by the FreeBSD project, such as a key associated with a certificate. Considerable amounts of work into a full-out PKI infrastructure could of course also be a problem. All this de facto PGP/GPG stuff just makes my head hurt. More thoughts, anyone? =09-jake --=20 Jarkko Santala System Administrator http://iki.fi/jake= /