oss-sec mailing list archives
Re: membership request to the closed linux-distros security mailing list
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 3 Apr 2015 12:02:29 -0700
On Fri, Apr 03, 2015 at 01:09:39AM -0400, Daniel Micay wrote:
I guess Ubuntu has to be dropped from the linux-distros then, because www.ubuntu.com appears to be http-only and the ISO download is entirely insecure.
Ubuntu ISO downloads come alongside signed SHA256SUMs files: http://mirror.pnl.gov/releases/14.10/SHA256SUMS http://mirror.pnl.gov/releases/14.10/SHA256SUMS.gpg Granted, determining if the hashes was signed by a legitimate key is difficult to bootstrap, and our website currently doesn't help. As a result of Kurt's recent discussion about Kali Linux, and simultaneous prompting by Douglass Clem, I have asked our web team to make the ISO signing keys more prominently available on our website than just mentioned on one wiki page.
The security notices are also served insecurely there: http://www.ubuntu.com/usn/
The security advisories we send via email are gpg signed: https://lists.ubuntu.com/archives/ubuntu-security-announce/ In addition, the mechanism we suggest our users should use to apply updates -- apt-get update && apt-get dist-upgrade, or the graphical equivalent -- provides for full trust path validation automatically. The advisories are simply additional information for the curious. Our users can freely ignore our mailed and posted advisories if they wish. I raised my concerns about Enea's advisories largely because it appeared that their recommended mechanism of acquiring and installing updates is entirely unvalidated from end to end. If they are also using an authenticated tool like up2date, yum, apt-get, apt-rpm, zypper, pacman, pkgsrc, or git with signed tags or otherwise authenticated tags, as the actual mechanism users should use to download updates, then they should recommend using that tool in their advisories.
Am I missing something... ? It doesn't make much sense to criticize this when you folks are doing the same. I do get the impression that Enea Linux is handling security poorly (where are all of the other issues?) but this bothered me.
Funny, I didn't worry too much about how fee issues they've addressed: I don't know what packages they ship, nor the threat models their users may have with their systems. Please don't hesitate to share any other concerns with Ubuntu's security practices. Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- RE: membership request to the closed linux-distros security mailing list Sona Sarmadi (Apr 02)
- Re: membership request to the closed linux-distros security mailing list Kash Pande (Apr 02)
- <Possible follow-ups>
- Re: membership request to the closed linux-distros security mailing list Seth Arnold (Apr 02)
- Re: membership request to the closed linux-distros security mailing list Daniel Micay (Apr 02)
- RE: membership request to the closed linux-distros security mailing list Sona Sarmadi (Apr 03)
- Re: membership request to the closed linux-distros security mailing list Seth Arnold (Apr 03)
- Re: membership request to the closed linux-distros security mailing list Seth Arnold (Apr 03)
- Re: membership request to the closed linux-distros security mailing list Daniel Micay (Apr 02)