From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 02:07:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0268716A41F for ; Wed, 30 Nov 2005 02:07:42 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55DC943D72 for ; Wed, 30 Nov 2005 02:07:31 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr2so.prod.shaw.ca (pd3mr2so-qfe3.prod.shaw.ca [10.0.141.178]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IQQ007KIWKI63D0@l-daemon> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 19:07:30 -0700 (MST) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd3mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IQQ00760WKIZ0A0@pd3mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 19:07:30 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IQQ00K93WKHZ8@l-daemon> for freebsd-security@freebsd.org; Tue, 29 Nov 2005 19:07:30 -0700 (MST) Date: Tue, 29 Nov 2005 18:07:29 -0800 From: Colin Percival In-reply-to: <20051130000552.GB60924@xor.obsecurity.org> To: Kris Kennaway Message-id: <438D0961.40307@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.93.0.0 References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> <20051130000552.GB60924@xor.obsecurity.org> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org, aristeu Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 02:07:42 -0000 Kris Kennaway wrote: > On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote: >>Even before you get to that point, you have to worry about making sure >>that the build clients are secure. One possibility which worries me a >>great deal is that a trojan in the build code for a low-profile port >>(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to >>gain control of a build client (and then insert trojans into packages >>which are built there). > > They're closed systems that I keep up-to-date with security fixes, but > yes, this is something that we do not defend against. As you note, > it's not really practical to at the moment, so the best we can do is > just keep it in mind and look for other things to fix. Yes and no. Fixing other potential security risks is good, but not if it leads users to think that the packages are more trustworthy than they really are. In particular, if we started distributing signed packages, I suspect that most people would assume that the signatures guaranteed that the packages were good, rather than simply ensuring that the packages hadn't been modified with after they were built. If we're going to sign anything, we need to ensure not just that we're signing what we think we're signing, but also that we're signing what the *end users* think that we're signing. Colin Percival