Date: Tue, 29 Nov 2005 15:43:11 -0800 From: Colin Percival <cperciva@freebsd.org> To: Kris Kennaway <kris@obsecurity.org> Cc: freebsd-security@freebsd.org, aristeu <suporte@wahtec.com.br> Subject: Re: Reflections on Trusting Trust Message-ID: <438CE78F.303@freebsd.org> In-Reply-To: <20051129232703.GA60060@xor.obsecurity.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > I'd be happy to work with someone who can implement a solution for the > package side. The important thing to keep in mind is that packages > are built automatically on many distributed machines. Any solution > for signing packages would therefore need to also be automated, > e.g. signing them automatically when the packages are pulled back from > the build client to server. Even before you get to that point, you have to worry about making sure that the build clients are secure. One possibility which worries me a great deal is that a trojan in the build code for a low-profile port (e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to gain control of a build client (and then insert trojans into packages which are built there). Of course, there are some mechanisms which can be used -- for example, jails -- but I'm not willing to trust the security of every system which ever installs FreeBSD packages to the hope that nobody will ever find a security flaw which permits a jailbreak. Once Xen is more mature, I imagine that it will be very useful for performing such builds securely. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?438CE78F.303>