Date: Tue, 29 Nov 2005 22:24:59 -0500 From: Kris Kennaway <kris@obsecurity.org> To: Colin Percival <cperciva@freebsd.org> Cc: freebsd-security@freebsd.org, aristeu <suporte@wahtec.com.br>, Kris Kennaway <kris@obsecurity.org> Subject: Re: Reflections on Trusting Trust Message-ID: <20051130032459.GA63255@xor.obsecurity.org> In-Reply-To: <438D0961.40307@freebsd.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> <20051130000552.GB60924@xor.obsecurity.org> <438D0961.40307@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 29, 2005 at 06:07:29PM -0800, Colin Percival wrote: > Kris Kennaway wrote: > > On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote: > >>Even before you get to that point, you have to worry about making sure > >>that the build clients are secure. One possibility which worries me a > >>great deal is that a trojan in the build code for a low-profile port > >>(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to > >>gain control of a build client (and then insert trojans into packages > >>which are built there). > >=20 > > They're closed systems that I keep up-to-date with security fixes, but > > yes, this is something that we do not defend against. As you note, > > it's not really practical to at the moment, so the best we can do is > > just keep it in mind and look for other things to fix. >=20 > Yes and no. Fixing other potential security risks is good, but not if > it leads users to think that the packages are more trustworthy than they > really are. In particular, if we started distributing signed packages, > I suspect that most people would assume that the signatures guaranteed > that the packages were good, rather than simply ensuring that the packages > hadn't been modified with after they were built. >=20 > If we're going to sign anything, we need to ensure not just that we're > signing what we think we're signing, but also that we're signing what the > *end users* think that we're signing. Seems to me that ignorance and a false sense of security is bad wherever it appears, so all we can do is try our best to educate users about what they're getting. Kris --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDjRuLWry0BWjoQKURArdGAKCynAKo6gfljOGuzJEcjU4eubE+UQCgyOj2 vxf02W2w9DcqG8RVODJYGRE= =JN/P -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051130032459.GA63255>