oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 26 Apr 2013 22:10:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/26/2013 07:01 PM, Alistair Crooks wrote:
No, not really. My point was that people seem to think that, just because something is signed, it must be 100% good from the right person. I will agree that most of the time this is the case - however, relying on this to be the case would be imprudent. There's
But they must already think that it's trustworthy or they wouldn't CARE about whether or not the software is signed because they wouldn't even be looking at it or care that it exists. The only reason you would care if the software is signed is if you intend to use it in some way (or you're the 0.0001% of crazy security researchers, which is basically no-one).
As to unsigned code being wide open, we have previous versions to compare against (and, in the sense that we're discussing it here, the
This assumes they have not been compromised already and the compromised bits brought forwards. This also assumes everyone runs diff -ru version1 version2 and audits the ouput. This is PROOVABLY not the case otherwise people would catch NORMAL security flaws being introduced.
people who will be comparing are the packagers for the Linux distributions, or the BSD packagers). They are perfectly capable of doing that, and should be. As part of updating packages, they should
HAHAHAHAHAHAHAHAHAA MUAHAHAHA SNORT HAHAHAHAHAHA No. No as a rule they don't. Again if people audited source code changes for security flaws, by definition no new security flaws would be introduced (well they would be, but people would catch them). Seriously, think about it.
That wasn't my intention, so I'm sorry if it came across that way. But can we also get away from the "we have signed distfiles now, so everything is guaranteed to be safe for evermore"? Thanks.
Most of us never said that (and I apologize if we didn't make it clear). We said "more secure", not "completely secure so stop worrying". If we didn't spell it out, we should have, but I think it's obvious from my post, Josh's post, etc that that is the intent. Right now we have code written by who knows what/who running on millions of servers with no oversight/audits/checks. Witness this weeks WP-Super-Cache debacle, or the timthumb.php thing. If peple actually audited the code changes they would have gone "wow... mfunc... wait.. can't this result in code exec..?". Oh and I've had NO response from the WP-Super-Cache guy so far. good thing he cares about security. And all the people that use his software.
Regards, Alistair
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRe0/LAAoJEBYNRVNeJnmTMNgP/2FPVVNNyfx75gGlae45QKpt CDJPA3klag33Y1j4mr+1D+pNKgsrHYStbn+RHCfx45QpJ2SqqfTpWP8WW3MTzuQX OjDlfNHfyTejiaXveNpCwhHEjyySNQCLRKNeo/G7j2Zh2cZH84kDuZPaEswTZbvU Jwmh1K6oIZE1ceH+mbSUXglwsmrZ7W+0bgCV9QrNn5m79NB71AbcjAb1+pnOVR7K x/msccsea+Pd17+PXS2vqDeVP2sS50xvtjekjvb2Hd27gHBeg2kBAg+JkrsslQhc kXSqxnUALDGTBTcjo6uHlO1IF9QHqzEeWC3G/gMHFsG04IZdfO2nIEi46/983rz+ v6zLUXMsVwAlMouv/W09ZV0PwME1M5njKezrESz6OjbJiyhyOf1/gDWJUpbWpoNs FCbmtuZPKShBBKEhRyabUYV7cThsRm0gogo7wuLHXkgy2WiqRD4k2bpc0ptfEN8i ZiA0T7OGwcKjTtrZ1PPpI0+7oano9/gCguNcwaYAQ2u0vYbv9jQghN80d6eh3Sfs vibzqmx0bp3zQAgYJkwWrxAfe1SGpqd7kHBZ92LV5EJr4G7yYBjfYYUuvbr3NzAI Z1Z8xgNOCzW8A3+AsWtLcIvP2p/UKijxm7Ochk/9XxnauyS5OCTkvjfkwfOMv/14 5SIBdo52tmSjuduu3jXo =9qZN -----END PGP SIGNATURE-----
Current thread:
- Re: upstream source code authenticity checking, (continued)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Allan McRae (Apr 24)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 29)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 30)
- Re: upstream source code authenticity checking Robbie MacKay (May 01)
- Re: upstream source code authenticity checking Alistair Crooks (May 02)
- OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Daniel Kahn Gillmor (May 02)
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
- Re: upstream source code authenticity checking Kurt Seifried (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Alan Coopersmith (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)