Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Apr 2013 22:10:51 -0600
From: Kurt Seifried <>
To: Alistair Crooks <>
CC:, Josh Bressers <>
Subject: Re: upstream source code authenticity checking

Hash: SHA1

On 04/26/2013 07:01 PM, Alistair Crooks wrote:
> No, not really.  My point was that people seem to think that, just 
> because something is signed, it must be 100% good from the right 
> person.  I will agree that most of the time this is the case - 
> however, relying on this to be the case would be imprudent.
> There's

But they must already think that it's trustworthy or they wouldn't
CARE about whether or not the software is signed because they wouldn't
even be looking at it or care that it exists. The only reason you
would care if the software is signed is if you intend to use it in
some way (or you're the 0.0001% of crazy security researchers, which
is basically no-one).

> As to unsigned code being wide open, we have previous versions to 
> compare against (and, in the sense that we're discussing it here,
> the

This assumes they have not been compromised already and the
compromised bits brought forwards. This also assumes everyone runs
diff -ru version1 version2 and audits the ouput. This is PROOVABLY not
the case otherwise people would catch NORMAL security flaws being

> people who will be comparing are the packagers for the Linux 
> distributions, or the BSD packagers).  They are perfectly capable
> of doing that, and should be.  As part of updating packages, they
> should


No. No as a rule they don't. Again if people audited source code
changes for security flaws, by definition no new security flaws would
be introduced (well they would be, but people would catch them).
Seriously, think about it.

> That wasn't my intention, so I'm sorry if it came across that way.
> But can we also get away from the "we have signed distfiles now, so
> everything is guaranteed to be safe for evermore"? Thanks.

Most of us never said that (and I apologize if we didn't make it
clear). We said "more secure", not "completely secure so stop
worrying". If we didn't spell it out, we should have, but I think it's
obvious from my post, Josh's post, etc that that is the intent.

Right now we have code written by who knows what/who running on
millions of servers with no oversight/audits/checks. Witness this
weeks WP-Super-Cache debacle, or the timthumb.php thing. If peple
actually audited the code changes they would have gone "wow...
mfunc... wait.. can't this result in code exec..?".

Oh and I've had NO response from the WP-Super-Cache guy so far. good
thing he cares about security. And all the people that use his software.

> Regards, Alistair

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.