Re: Reflections on Trusting Trust

• Previous message: Kris Kennaway: "Re: Reflections on Trusting Trust"
• In reply to: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Next in thread: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Reply: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Nov 2005 18:07:29 -0800
To: Kris Kennaway <kris@obsecurity.org>

Kris Kennaway wrote:
> On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote:
>>Even before you get to that point, you have to worry about making sure
>>that the build clients are secure. One possibility which worries me a
>>great deal is that a trojan in the build code for a low-profile port
>>(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to
>>gain control of a build client (and then insert trojans into packages
>>which are built there).
>
> They're closed systems that I keep up-to-date with security fixes, but
> yes, this is something that we do not defend against. As you note,
> it's not really practical to at the moment, so the best we can do is
> just keep it in mind and look for other things to fix.

Yes and no. Fixing other potential security risks is good, but not if
it leads users to think that the packages are more trustworthy than they
really are. In particular, if we started distributing signed packages,
I suspect that most people would assume that the signatures guaranteed
that the packages were good, rather than simply ensuring that the packages
hadn't been modified with after they were built.

If we're going to sign anything, we need to ensure not just that we're
signing what we think we're signing, but also that we're signing what the
*end users* think that we're signing.

Colin Percival
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Kris Kennaway: "Re: Reflections on Trusting Trust"
• In reply to: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Next in thread: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Reply: Kris Kennaway: "Re: Reflections on Trusting Trust"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Reflections on Trusting Trust ... > Kris Kennaway wrote: ... > it leads users to think that the packages are more trustworthy than they ... In particular, if we started distributing signed packages, ... > signing what we think we're signing, but also that we're signing what the ... (FreeBSD-Security) Re: SMS2003 parent with sms 2.0 children and SUS ... I believe the status messages are generated by the clients. ... You'll need to update any of your patch packages ... The Dell Update scan tool requires SMS 2003 SP1 advanced clients I believe ... >>> replicated to the child sites and run. ... (microsoft.public.sms.setup) Re: Getting people into Linux ... of already available packages. ... during an install, but it isn't involved with subsequent updates. ... Your point is valid, but experience is a hard teacher, and that teacher demands much more time per 'fat' client than for 'diskless' or 'thin' clients. ... (Fedora) Re: SMS2003 parent with sms 2.0 children and SUS ... version in those packages. ... If you do all of that, then your 2.0 clients at the child sites will ... work when advertised from a 2003 site to clients of a child 2.0 site. ... The Dell Update scan tool will only work on SMS 2003 SP1 advanced clients. ... (microsoft.public.sms.setup) Re: debian on domain clients ? ... we want to start in the company to transfer CLIENTS that now work ... apt-proxy runs on one server and stores packages requested through it, ... subsequent requests for the same package get answered by the server. ... cause less load on the debian mirrors. ... (Debian-User)