oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Marcus Meissner <meissner () suse de>
Date: Fri, 26 Apr 2013 10:34:10 +0200
On Thu, Apr 25, 2013 at 08:55:00AM -0400, Josh Bressers wrote:
So, all in all, what you have is a digest, signed by someone who knows the key, or who has access to the creds (if any) for the key, or who has found out the key creds, albeit with timestamp info for when the signature took place. I'm not sure what using PGP gains us?I'm going to take a hard stance against this statement and use it as my soapbox for a bit here. This attitude is really dangerous in the world of security (but it has infected our universe). Security is hard, we all know that, but I think we like to draw a line at 100% and say "it's this or nothing". No, PGP isn't perfect, but it gains us a ton. It's a way we can say "this was signed by someone with the key". Did the bad guy have they key? Maybe, the goal isn't to get to 100%, it's to make the job of an attacker harder, which this would do. There is no system that exists in this instance that is 100% safe. What we need to do isn't talk about how useless PGP is (which it isn't), we need to talk about what's right about it and give advice so people understand how to avoid silly mistakes. A great example is to use a smart card. If a project is using a smart card, and tells us they're using a smart card, that would be helpful in letting us know their signatures are probably trustworthy. We would certainly know their signatures are more trustworthy than a project who uses a private key shared between 10 people. Is the smart card a perfect solution? Certainly not, but it's better than not using a smart card. How many non security people really understand this? How many of us have tried to explain it in a calm and understanding manner? This is Red Hat's goal here. We want to help folks understand what some easy wins are. Security is hard, it will never be 100%. I'd rather see us all working together to improve what we can.
I have to agree here, with additions: Security must not be thought of a state, but a process. It is a continuous and stepwise process and each small step counts. Sourceverification, regardless what method, is a small step to avoid this existing threat of modified tarballs. We have the technology available to do this, and it clearly is the GPG signatures in this case. That they must be used securely and consistently is yet another step. Ciao, Marcus
Current thread:
- Re: upstream source code authenticity checking, (continued)
- Re: upstream source code authenticity checking Robbie MacKay (May 01)
- Re: upstream source code authenticity checking Alistair Crooks (May 02)
- OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Daniel Kahn Gillmor (May 02)
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
- Re: upstream source code authenticity checking Kurt Seifried (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Alan Coopersmith (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Josh Bressers (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 26)
- Re: upstream source code authenticity checking nicolas vigier (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Florian Weimer (Apr 26)
- Re: upstream source code authenticity checking yersinia (Apr 26)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (May 04)