oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Alistair Crooks <agc () pkgsrc org>
Date: Mon, 22 Apr 2013 03:32:14 +0200
On Mon, Apr 22, 2013 at 10:52:00AM +1000, Allan McRae wrote:
Arch Linux does have similar system (our package building infrastructure uses PGP signature verification if available, any of a variety of checksums).
Right - and, as your blog post mentions, the necessary effectiveness of the public key is germane to the issues here. How is revocation or expiry of keys handled?
The point of my post was that if upstream does not provide anything when they release a tarball, then they really do not help that much... It just verifies that the source the packager downloaded is the same as the source you have. It does not save you if the source was altered before the packager obtained it.
Well, the package maintainers are asked to provide a summary of changes when any updates are made. Personally, I like to diff old and new sources to see what has changed; I'd like to think it's not just me doing that. So the old version is used as leverage for the newer version. However, the threat vector is an interesting one; in the past we've seen trojaned versions of software (typically exploited in the configure stage) occur, but the trojaned versions trail the official release by some time. As an aside -- if the builder is running "./configure" as root, then they deserve a lot of the stuff that's coming their way. The other thing to note is that, in these cases, the digests have been sufficient to pick up the changes in the distributed tar files. And simply adding more weight and complexity to the signature (it's more than likely a SHA1 digest that gets signed, right?) doesn't add any more protection, and demands up-to-date public keys of the tarball packager. So, all in all, I'm not sure what benefits a signature provides over digests for this use case. Regards, Alistair
Current thread:
- upstream source code authenticity checking Solar Designer (Apr 20)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 21)
- Re: upstream source code authenticity checking Jeremy Stanley (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Stuart Henderson (Apr 22)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Allan McRae (Apr 24)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)