From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 00:07:56 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA2FD16A427; Wed, 30 Nov 2005 00:07:56 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 265A343E01; Wed, 30 Nov 2005 00:06:24 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id E20F61A3C29; Tue, 29 Nov 2005 16:05:52 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 406B9513A2; Tue, 29 Nov 2005 19:05:52 -0500 (EST) Date: Tue, 29 Nov 2005 19:05:52 -0500 From: Kris Kennaway To: Colin Percival Message-ID: <20051130000552.GB60924@xor.obsecurity.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4bRzO86E/ozDv8r1" Content-Disposition: inline In-Reply-To: <438CE78F.303@freebsd.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, aristeu , Kris Kennaway Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 00:07:57 -0000 --4bRzO86E/ozDv8r1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote: > Kris Kennaway wrote: > > I'd be happy to work with someone who can implement a solution for the > > package side. The important thing to keep in mind is that packages > > are built automatically on many distributed machines. Any solution > > for signing packages would therefore need to also be automated, > > e.g. signing them automatically when the packages are pulled back from > > the build client to server. >=20 > Even before you get to that point, you have to worry about making sure > that the build clients are secure. One possibility which worries me a > great deal is that a trojan in the build code for a low-profile port > (e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to > gain control of a build client (and then insert trojans into packages > which are built there). They're closed systems that I keep up-to-date with security fixes, but yes, this is something that we do not defend against. As you note, it's not really practical to at the moment, so the best we can do is just keep it in mind and look for other things to fix. Kris --4bRzO86E/ozDv8r1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDjOzfWry0BWjoQKURAgQOAKC90Ql8HdO0AjWSUg/djwA52C0VTgCgqT3d 9shbc/Up3l1AMJ6MvR4pHLs= =JtkB -----END PGP SIGNATURE----- --4bRzO86E/ozDv8r1--