Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 26 Apr 2013 22:10:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Alistair Crooks <agc@...src.org>
CC: oss-security@...ts.openwall.com, Josh Bressers <bressers@...hat.com>
Subject: Re: upstream source code authenticity checking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/26/2013 07:01 PM, Alistair Crooks wrote:
> No, not really.  My point was that people seem to think that, just 
> because something is signed, it must be 100% good from the right 
> person.  I will agree that most of the time this is the case - 
> however, relying on this to be the case would be imprudent.
> There's

But they must already think that it's trustworthy or they wouldn't
CARE about whether or not the software is signed because they wouldn't
even be looking at it or care that it exists. The only reason you
would care if the software is signed is if you intend to use it in
some way (or you're the 0.0001% of crazy security researchers, which
is basically no-one).

> As to unsigned code being wide open, we have previous versions to 
> compare against (and, in the sense that we're discussing it here,
> the

This assumes they have not been compromised already and the
compromised bits brought forwards. This also assumes everyone runs
diff -ru version1 version2 and audits the ouput. This is PROOVABLY not
the case otherwise people would catch NORMAL security flaws being
introduced.

> people who will be comparing are the packagers for the Linux 
> distributions, or the BSD packagers).  They are perfectly capable
> of doing that, and should be.  As part of updating packages, they
> should

HAHAHAHAHAHAHAHAHAA MUAHAHAHA SNORT HAHAHAHAHAHA

No. No as a rule they don't. Again if people audited source code
changes for security flaws, by definition no new security flaws would
be introduced (well they would be, but people would catch them).
Seriously, think about it.

> That wasn't my intention, so I'm sorry if it came across that way.
> But can we also get away from the "we have signed distfiles now, so
> everything is guaranteed to be safe for evermore"? Thanks.

Most of us never said that (and I apologize if we didn't make it
clear). We said "more secure", not "completely secure so stop
worrying". If we didn't spell it out, we should have, but I think it's
obvious from my post, Josh's post, etc that that is the intent.

Right now we have code written by who knows what/who running on
millions of servers with no oversight/audits/checks. Witness this
weeks WP-Super-Cache debacle, or the timthumb.php thing. If peple
actually audited the code changes they would have gone "wow...
mfunc... wait.. can't this result in code exec..?".

Oh and I've had NO response from the WP-Super-Cache guy so far. good
thing he cares about security. And all the people that use his software.

> Regards, Alistair


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRe0/LAAoJEBYNRVNeJnmTMNgP/2FPVVNNyfx75gGlae45QKpt
CDJPA3klag33Y1j4mr+1D+pNKgsrHYStbn+RHCfx45QpJ2SqqfTpWP8WW3MTzuQX
OjDlfNHfyTejiaXveNpCwhHEjyySNQCLRKNeo/G7j2Zh2cZH84kDuZPaEswTZbvU
Jwmh1K6oIZE1ceH+mbSUXglwsmrZ7W+0bgCV9QrNn5m79NB71AbcjAb1+pnOVR7K
x/msccsea+Pd17+PXS2vqDeVP2sS50xvtjekjvb2Hd27gHBeg2kBAg+JkrsslQhc
kXSqxnUALDGTBTcjo6uHlO1IF9QHqzEeWC3G/gMHFsG04IZdfO2nIEi46/983rz+
v6zLUXMsVwAlMouv/W09ZV0PwME1M5njKezrESz6OjbJiyhyOf1/gDWJUpbWpoNs
FCbmtuZPKShBBKEhRyabUYV7cThsRm0gogo7wuLHXkgy2WiqRD4k2bpc0ptfEN8i
ZiA0T7OGwcKjTtrZ1PPpI0+7oano9/gCguNcwaYAQ2u0vYbv9jQghN80d6eh3Sfs
vibzqmx0bp3zQAgYJkwWrxAfe1SGpqd7kHBZ92LV5EJr4G7yYBjfYYUuvbr3NzAI
Z1Z8xgNOCzW8A3+AsWtLcIvP2p/UKijxm7Ochk/9XxnauyS5OCTkvjfkwfOMv/14
5SIBdo52tmSjuduu3jXo
=9qZN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.