From owner-freebsd-security@FreeBSD.ORG Tue Nov 29 23:44:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC2B216A427 for ; Tue, 29 Nov 2005 23:44:36 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E8AE43E07 for ; Tue, 29 Nov 2005 23:43:14 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr2so.prod.shaw.ca (pd3mr2so-qfe3.prod.shaw.ca [10.0.141.178]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IQQ001E6PW0N190@l-daemon> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 16:43:12 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd3mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IQQ003YNPW0NLK0@pd3mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 16:43:12 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IQQ0058QPVZH1@l-daemon> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 16:43:12 -0700 (MST) Date: Tue, 29 Nov 2005 15:43:11 -0800 From: Colin Percival In-reply-to: <20051129232703.GA60060@xor.obsecurity.org> To: Kris Kennaway Message-id: <438CE78F.303@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.93.0.0 References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org, aristeu Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 23:44:37 -0000 Kris Kennaway wrote: > I'd be happy to work with someone who can implement a solution for the > package side. The important thing to keep in mind is that packages > are built automatically on many distributed machines. Any solution > for signing packages would therefore need to also be automated, > e.g. signing them automatically when the packages are pulled back from > the build client to server. Even before you get to that point, you have to worry about making sure that the build clients are secure. One possibility which worries me a great deal is that a trojan in the build code for a low-profile port (e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to gain control of a build client (and then insert trojans into packages which are built there). Of course, there are some mechanisms which can be used -- for example, jails -- but I'm not willing to trust the security of every system which ever installs FreeBSD packages to the hope that nobody will ever find a security flaw which permits a jailbreak. Once Xen is more mature, I imagine that it will be very useful for performing such builds securely. Colin Percival