Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 22 Apr 2013 03:32:14 +0200
From: Alistair Crooks <agc@...src.org>
To: oss-security@...ts.openwall.com
Subject: Re: upstream source code authenticity checking

On Mon, Apr 22, 2013 at 10:52:00AM +1000, Allan McRae wrote:
> Arch Linux does have similar system (our package building infrastructure
> uses PGP signature verification if available, any of a variety of
> checksums).

Right - and, as your blog post mentions, the necessary effectiveness
of the public key is germane to the issues here.  How is revocation or
expiry of keys handled?
 
> The point of my post was that if upstream does not provide anything when
> they release a tarball, then they really do not help that much...  It
> just verifies that the source the packager downloaded is the same as the
> source you have.  It does not save you if the source was altered before
> the packager obtained it.

Well, the package maintainers are asked to provide a summary of changes
when any updates are made. Personally, I like to diff old and new sources
to see what has changed; I'd like to think it's not just me doing that.
So the old version is used as leverage for the newer version.

However, the threat vector is an interesting one; in the past we've
seen trojaned versions of software (typically exploited in the
configure stage) occur, but the trojaned versions trail the official
release by some time.  As an aside -- if the builder is running
"./configure" as root, then they deserve a lot of the stuff that's
coming their way.  The other thing to note is that, in these cases,
the digests have been sufficient to pick up the changes in the
distributed tar files.  And simply adding more weight and complexity
to the signature (it's more than likely a SHA1 digest that gets
signed, right?) doesn't add any more protection, and demands
up-to-date public keys of the tarball packager.

So, all in all, I'm not sure what benefits a signature provides over digests
for this use case.

Regards,
Alistair

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.