All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: signed tarballs
Date: Fri, 14 Apr 2017 09:06:53 -0400	[thread overview]
Message-ID: <CAHC9VhSFaw4knZQqJfds8ci06n6CUmiXjW87KiA-9YnLc5To9Q@mail.gmail.com> (raw)
In-Reply-To: <5856507.yEgrJDtUAW@x2>

On Thu, Apr 13, 2017 at 6:25 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
>> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
>>
>> <bill.c.roberts@gmail.com> wrote:
>> > Isn't the hash on the https people's page?
>
> No, its on the mail list. The mail list is moderated. Only a handful of people
> could post a spoofed message.
>
>> > Which last time I looked wasnt throwing cert errors in chrome.
>>
>> Unless Steve has exclusive administrative access to people.redhat.com
>> (I think it is safe to say he does not, but correct me if I'm wrong
>> Steve <b>)
>
> Nope.
>
>> you can't trust an unsigned checksum regardless of how
>> strong the https cert/crypto as the web admin could still tamper with
>> the data.
>
> They would have to go tamper with the mail list where all the hashes are
> publicly disclosed, too. There are multiple mail list archives. Then they
> would have to post the tampered tarball to the Fedora Build System which also
> publicly discloses hashs. And the Fedora Build System requires several
> identity checks to check it in and it maintains a log.

No.  Since there is no authentication to post to this public email
list all they would have to do is spoof bogus a release announcement
email from you; yes there are some measures in place to combat things
like this, but it isn't that hard.  Granted, you might notice this
attack relatively quickly, but if the attack was timed to happen while
you were away from your email for an extended period of time (travel,
etc.) the window could be non-trivial, and even then, how many
installs could have already been put at risk?

Steve, it's pretty apparent at this point that you don't want to, and
aren't likely to, provide any form of signed checksum for the audit
userspace release.  That's your prerogative, and to some like William,
they may be content with that level of risk.  However, please don't
pretend that signing releases doesn't provide an additional layer of
protection.

-- 
paul moore
www.paul-moore.com

  reply	other threads:[~2017-04-14 13:06 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-06 23:31 signed tarballs Christian Rebischke
2017-04-07  1:27 ` William Roberts
2017-04-07 23:41   ` Christian Rebischke
2017-04-07 23:52     ` William Roberts
2017-04-08 12:53 ` Paul Moore
2017-04-10 18:51   ` Steve Grubb
2017-04-10 18:35 ` Steve Grubb
2017-04-11 10:44   ` Christian Rebischke
2017-04-11 14:03     ` Steve Grubb
2017-04-13 20:28       ` Christian Rebischke
2017-04-13 20:30         ` William Roberts
2017-04-13 20:43           ` Steve Grubb
2017-04-13 20:56           ` Christian Rebischke
2017-04-13 21:00             ` William Roberts
2017-04-13 21:05               ` Paul Moore
2017-04-13 21:08                 ` William Roberts
2017-04-13 21:17                   ` Paul Moore
2017-04-13 22:39                     ` William Roberts
2017-04-13 21:22                 ` Christian Rebischke
2017-04-13 22:45                   ` William Roberts
2017-04-13 23:17                     ` Steve Grubb
2017-04-13 22:25                 ` Steve Grubb
2017-04-14 13:06                   ` Paul Moore [this message]
2017-04-14 13:38                     ` Steve Grubb
2017-04-14 23:03                       ` Christian Rebischke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhSFaw4knZQqJfds8ci06n6CUmiXjW87KiA-9YnLc5To9Q@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.