From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 03:25:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D527216A41F; Wed, 30 Nov 2005 03:25:14 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DF7843D5E; Wed, 30 Nov 2005 03:25:01 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 9BB6D1A3C1A; Tue, 29 Nov 2005 19:25:00 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 03D59514DF; Tue, 29 Nov 2005 22:25:00 -0500 (EST) Date: Tue, 29 Nov 2005 22:24:59 -0500 From: Kris Kennaway To: Colin Percival Message-ID: <20051130032459.GA63255@xor.obsecurity.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> <20051130000552.GB60924@xor.obsecurity.org> <438D0961.40307@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline In-Reply-To: <438D0961.40307@freebsd.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, aristeu , Kris Kennaway Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 03:25:15 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 29, 2005 at 06:07:29PM -0800, Colin Percival wrote: > Kris Kennaway wrote: > > On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote: > >>Even before you get to that point, you have to worry about making sure > >>that the build clients are secure. One possibility which worries me a > >>great deal is that a trojan in the build code for a low-profile port > >>(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to > >>gain control of a build client (and then insert trojans into packages > >>which are built there). > >=20 > > They're closed systems that I keep up-to-date with security fixes, but > > yes, this is something that we do not defend against. As you note, > > it's not really practical to at the moment, so the best we can do is > > just keep it in mind and look for other things to fix. >=20 > Yes and no. Fixing other potential security risks is good, but not if > it leads users to think that the packages are more trustworthy than they > really are. In particular, if we started distributing signed packages, > I suspect that most people would assume that the signatures guaranteed > that the packages were good, rather than simply ensuring that the packages > hadn't been modified with after they were built. >=20 > If we're going to sign anything, we need to ensure not just that we're > signing what we think we're signing, but also that we're signing what the > *end users* think that we're signing. Seems to me that ignorance and a false sense of security is bad wherever it appears, so all we can do is try our best to educate users about what they're getting. Kris --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDjRuLWry0BWjoQKURArdGAKCynAKo6gfljOGuzJEcjU4eubE+UQCgyOj2 vxf02W2w9DcqG8RVODJYGRE= =JN/P -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp--