oss-sec mailing list archives
Re: Mitigating malicious packages in gnu/linux
From: Morten Linderud <morten () linderud pw>
Date: Tue, 19 Nov 2019 13:19:10 +0100
On Tue, Nov 19, 2019 at 01:33:48PM +0200, Georgi Guninski wrote:
As end user and contributor of gnu/linux, I am concerned about malicious packages (either hostile developers or hacked developers or another reason) and have two questions: * What do linux vendors to avoid malicious packages? * As end user what can I do to mitigate malicious packages?
Yo! The answer to this is complicated. Different distributions has widely different threat models and supply chains for dealing with packages. This can be from the perspective of developers uploading pre-built binary packages to a repository, then distributed. Another factor is distributions where source packages are uploaded to a centralized builder, then distributed. You also got source-based distributions, such as Gentoo and probably NixOS, where the problem domain is a bit more complicated as the users might be building the packages themselves. Some attack vector are: * A malicious build server * Compromised source tarballs * Compromised packagers * Compromised mirrors/repositories There is not a definitive solution here. But there are multiple efforts and research going on. The most important one, in my opinion, is the reproducible builds project [1]. We need to ensure we are not inserting random or non-deterministic data into our build artifacts. This stretches from upstream developers providing tarballs, to pre-compiled sources and packages from distributions. There is no distribution today that has full reproducible builds, but there are many projects that work towards this and work on reproducible builds. Arch Linux has recently been trying to get the core repository 100% reproducible, and we have done a lot of effort towards this just the past week [2]. I have also written up a blog post describing the effort that has gone into this [3]. There are also other efforts, like Benjamin Hof which has done work attempting to provide transparency logs for Debian package repositories. This can work as a guard detecting compromised signing keys. Either from build servers or packagers [4]. The current status quo is a bit grim. You can't protect yourself against malicious packages. You need to trust the source and build the packages yourself, preferably write your own package files. As long as we use distributions we are bound to trusting the packagers and believe they are doing the right thing. However, reproducible builds will allow users to verify the work done by packagers in the future. I hope this gives some insight and answers parts of your question :) [1]: https://reproducible-builds.org/ [2]: https://lists.archlinux.org/pipermail/arch-dev-public/2019-November/029721.html [3]: https://linderud.dev/blog/reproducible-arch-linux-packages/ [4]: https://debconf18.debconf.org/talks/104-software-transparency-package-security-beyond-signatures-and-reproducible-builds/ -- Morten Linderud PGP: 9C02FF419FECBE16
Attachment:
signature.asc
Description:
Current thread:
- Mitigating malicious packages in gnu/linux Georgi Guninski (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Stuart D. Gathman (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Tim Kuijsten (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Ludovic Courtès (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Pavel Heimlich (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Jakub Wilk (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Mark Hatle (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)