Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 26 Apr 2013 00:55:22 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Alistair Crooks <agc@...src.org>
CC: oss-security@...ts.openwall.com, Josh Bressers <bressers@...hat.com>
Subject: Re: upstream source code authenticity checking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2013 11:57 PM, Alistair Crooks wrote:
> On Thu, Apr 25, 2013 at 01:30:23AM -0600, Kurt Seifried wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 04/24/2013 11:55 PM, Alistair Crooks wrote:
>>> I'm not sure what using PGP gains us?
>>> 
>>> Regards, Alistair
>> 
>> So some possible outcomes are:
>> 
>> 1) They do PGP/GPG and don't get compromised. Long term outcome:
>> we come out way ahead.
>> 
>> 2) They do PGP/GPG and do get compromised. Long term outcome: we
>> trust bad things and lose, hopefully this gets spotted quickly
>> and dealt with.
> 
> Sure.  I actually agree with you.  But I'd also like it if we
> could bear in mind that, with PGP, trust is earned, trust
> signatures are snapshots in time, and trust levels are private,
> best guessses by people.  All people can see from a key listing is
> who trusted them and when, not how much, or whether the trust was
> warranted.

This makes no sense. So you don't trust their signature because they
have to "earn trust", but you do trust their software and you compile
and run it? That's literally insane.

Unless you actually audit every bit of source code you download and
audit before compiling/usage then by definition you are already
blindly trusting a lot of people (the software project, the host
serving it, every intermediate network, etc.).

I a seriously confused that a lot of people seem to think unsigned
code is somehow ok, but if we sign the code we have to do it perfectly
to have any value. This simply isn't true. Right now unsigned code is
wide open, and detecting changes is expensive (you need a full copy to
compare against, and if you have a copy why would you care? =).
SIgning releases with PGP/GPG makes this problem a lot easier to
handle and even if it fails, by definition the attacker would have
been able to pull the attack off any ways.

Can we please get over this "security must be done perfect or not at
all" and maybe actually get on with making things better? We have to
start somewhere. Sitting here going "well we won't do it unless we can
do it completely correctly" is just stupid and pointless. Seriously.
We need to start raising the bar and teaching people, this is far
better than refusing to do anything since it won't be perfect.

A perfect example of this is CVE assignments. Most projects do not do
them well or at all. Should I give up? Or should I try to educate them
and hand hold as needed so that they learn how to do it and start
doing it properly? This is what I have been doing and you may notice
that XEN, OwnCloud, OpenStack and a few others are now shipping
advisories with CVE's already assigned. And most of them are doing CVE
requests in a way that is efficient and scalable.

And next month (hopefully) you'll be getting even more CVEs (due to
more vendors doing CVE requests properly and easily for me), and then
at some point we'll bring OSVDB into the fold (once Steven figures out
how =) and it'll get even better.

Got to start somewhere. And if you want to go build some perfect
system I wish you luck, but I suspect like most attempts at perfection
it won't get very far.

> Regards, Alistair


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReiTaAAoJEBYNRVNeJnmTRsAP/1iWLLLjBBUrjeiywOqzloxf
1vErJD1xBibLszAWbYQtJT77gPGTKChjKomzen2lXEsMiTaH9TbW9V8uw1+urjUL
Xg4h/ZGPygt5dF86PylJevws+cAy1zAjaXsc3kqz4pagdW/8GzvDn4IroW00pZs2
K+rs73Gkmz3FU227tWlMz5Y6miTkFU49cVVbvD3N+hT01ARJ1fWxFoJl3Tnv5lSb
REqDORC90vho7yBOQzeVqDe2C7OaiT9LZoqJlYNt1fTQl9oiMY3DiHHD+HK4w2In
5bJBvflp0pyycsPJ/k0413y3PWTfHwrBhLFrU6CNAMN6Wvj8jjhp3l16x6hgHsyq
tgA9ajQ33kzvm/lr5xCWDEe71GWsY/l2M4bBgJSlOB1yr5dnahRpGhnHskpdFChm
CWT89C63lKptLHyGKmNVmaZvOG+NhR0G0fvaCB2ye5XZdzArxVgMmYCxc75OE6hB
bsMXjtCfwOBe3Pac7FjzdG9Mr5/Ne+TvVihGw3URid6+UDygg9hET94+Lwrrhohn
BslVtW+6asZHAB/60w8Rt//DSac1m/GenGihsYt+AP7jF2tifKFyjm77fFxGQpIk
M1Ya3fqnZfL0NcPKK+Tu7LWAdYuEwaH1ZK6hl4N/lt94cVr4odTAvzSFZRwVGMxS
1FuyGVgTKSQwJocmlBX1
=J2Vw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.