Date: Fri, 3 Apr 2015 12:02:29 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: membership request to the closed linux-distros security mailing list On Fri, Apr 03, 2015 at 01:09:39AM -0400, Daniel Micay wrote: > I guess Ubuntu has to be dropped from the linux-distros then, because > www.ubuntu.com appears to be http-only and the ISO download is entirely > insecure. Ubuntu ISO downloads come alongside signed SHA256SUMs files: http://mirror.pnl.gov/releases/14.10/SHA256SUMS http://mirror.pnl.gov/releases/14.10/SHA256SUMS.gpg Granted, determining if the hashes was signed by a legitimate key is difficult to bootstrap, and our website currently doesn't help. As a result of Kurt's recent discussion about Kali Linux, and simultaneous prompting by Douglass Clem, I have asked our web team to make the ISO signing keys more prominently available on our website than just mentioned on one wiki page. > The security notices are also served insecurely there: > > http://www.ubuntu.com/usn/ The security advisories we send via email are gpg signed: https://lists.ubuntu.com/archives/ubuntu-security-announce/ In addition, the mechanism we suggest our users should use to apply updates -- apt-get update && apt-get dist-upgrade, or the graphical equivalent -- provides for full trust path validation automatically. The advisories are simply additional information for the curious. Our users can freely ignore our mailed and posted advisories if they wish. I raised my concerns about Enea's advisories largely because it appeared that their recommended mechanism of acquiring and installing updates is entirely unvalidated from end to end. If they are also using an authenticated tool like up2date, yum, apt-get, apt-rpm, zypper, pacman, pkgsrc, or git with signed tags or otherwise authenticated tags, as the actual mechanism users should use to download updates, then they should recommend using that tool in their advisories. > Am I missing something... ? It doesn't make much sense to criticize this > when you folks are doing the same. I do get the impression that Enea > Linux is handling security poorly (where are all of the other issues?) > but this bothered me. Funny, I didn't worry too much about how fee issues they've addressed: I don't know what packages they ship, nor the threat models their users may have with their systems. Please don't hesitate to share any other concerns with Ubuntu's security practices. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.