Date: Fri, 26 Apr 2013 22:10:51 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Alistair Crooks <agc@...src.org> CC: oss-security@...ts.openwall.com, Josh Bressers <bressers@...hat.com> Subject: Re: upstream source code authenticity checking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/26/2013 07:01 PM, Alistair Crooks wrote: > No, not really. My point was that people seem to think that, just > because something is signed, it must be 100% good from the right > person. I will agree that most of the time this is the case - > however, relying on this to be the case would be imprudent. > There's But they must already think that it's trustworthy or they wouldn't CARE about whether or not the software is signed because they wouldn't even be looking at it or care that it exists. The only reason you would care if the software is signed is if you intend to use it in some way (or you're the 0.0001% of crazy security researchers, which is basically no-one). > As to unsigned code being wide open, we have previous versions to > compare against (and, in the sense that we're discussing it here, > the This assumes they have not been compromised already and the compromised bits brought forwards. This also assumes everyone runs diff -ru version1 version2 and audits the ouput. This is PROOVABLY not the case otherwise people would catch NORMAL security flaws being introduced. > people who will be comparing are the packagers for the Linux > distributions, or the BSD packagers). They are perfectly capable > of doing that, and should be. As part of updating packages, they > should HAHAHAHAHAHAHAHAHAA MUAHAHAHA SNORT HAHAHAHAHAHA No. No as a rule they don't. Again if people audited source code changes for security flaws, by definition no new security flaws would be introduced (well they would be, but people would catch them). Seriously, think about it. > That wasn't my intention, so I'm sorry if it came across that way. > But can we also get away from the "we have signed distfiles now, so > everything is guaranteed to be safe for evermore"? Thanks. Most of us never said that (and I apologize if we didn't make it clear). We said "more secure", not "completely secure so stop worrying". If we didn't spell it out, we should have, but I think it's obvious from my post, Josh's post, etc that that is the intent. Right now we have code written by who knows what/who running on millions of servers with no oversight/audits/checks. Witness this weeks WP-Super-Cache debacle, or the timthumb.php thing. If peple actually audited the code changes they would have gone "wow... mfunc... wait.. can't this result in code exec..?". Oh and I've had NO response from the WP-Super-Cache guy so far. good thing he cares about security. And all the people that use his software. > Regards, Alistair - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRe0/LAAoJEBYNRVNeJnmTMNgP/2FPVVNNyfx75gGlae45QKpt CDJPA3klag33Y1j4mr+1D+pNKgsrHYStbn+RHCfx45QpJ2SqqfTpWP8WW3MTzuQX OjDlfNHfyTejiaXveNpCwhHEjyySNQCLRKNeo/G7j2Zh2cZH84kDuZPaEswTZbvU Jwmh1K6oIZE1ceH+mbSUXglwsmrZ7W+0bgCV9QrNn5m79NB71AbcjAb1+pnOVR7K x/msccsea+Pd17+PXS2vqDeVP2sS50xvtjekjvb2Hd27gHBeg2kBAg+JkrsslQhc kXSqxnUALDGTBTcjo6uHlO1IF9QHqzEeWC3G/gMHFsG04IZdfO2nIEi46/983rz+ v6zLUXMsVwAlMouv/W09ZV0PwME1M5njKezrESz6OjbJiyhyOf1/gDWJUpbWpoNs FCbmtuZPKShBBKEhRyabUYV7cThsRm0gogo7wuLHXkgy2WiqRD4k2bpc0ptfEN8i ZiA0T7OGwcKjTtrZ1PPpI0+7oano9/gCguNcwaYAQ2u0vYbv9jQghN80d6eh3Sfs vibzqmx0bp3zQAgYJkwWrxAfe1SGpqd7kHBZ92LV5EJr4G7yYBjfYYUuvbr3NzAI Z1Z8xgNOCzW8A3+AsWtLcIvP2p/UKijxm7Ochk/9XxnauyS5OCTkvjfkwfOMv/14 5SIBdo52tmSjuduu3jXo =9qZN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.