Re: Reflections on Trusting Trust

• Previous message: Colin Percival: "Re: Reflections on Trusting Trust"
• In reply to: Colin Percival: "Re: Reflections on Trusting Trust"
• Next in thread: Alexander Leidinger: "Re: Reflections on Trusting Trust"
• Reply: Alexander Leidinger: "Re: Reflections on Trusting Trust"
• Reply: aristeu: "Re: Reflections on Trusting Trust"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Nov 2005 22:24:59 -0500
To: Colin Percival <cperciva@freebsd.org>

On Tue, Nov 29, 2005 at 06:07:29PM -0800, Colin Percival wrote:
> Kris Kennaway wrote:
> > On Tue, Nov 29, 2005 at 03:43:11PM -0800, Colin Percival wrote:
> >>Even before you get to that point, you have to worry about making sure
> >>that the build clients are secure. One possibility which worries me a
> >>great deal is that a trojan in the build code for a low-profile port
> >>(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to
> >>gain control of a build client (and then insert trojans into packages
> >>which are built there).
> >
> > They're closed systems that I keep up-to-date with security fixes, but
> > yes, this is something that we do not defend against. As you note,
> > it's not really practical to at the moment, so the best we can do is
> > just keep it in mind and look for other things to fix.
>
> Yes and no. Fixing other potential security risks is good, but not if
> it leads users to think that the packages are more trustworthy than they
> really are. In particular, if we started distributing signed packages,
> I suspect that most people would assume that the signatures guaranteed
> that the packages were good, rather than simply ensuring that the packages
> hadn't been modified with after they were built.
>
> If we're going to sign anything, we need to ensure not just that we're
> signing what we think we're signing, but also that we're signing what the
> *end users* think that we're signing.

Seems to me that ignorance and a false sense of security is bad
wherever it appears, so all we can do is try our best to educate users
about what they're getting.

Kris

• application/pgp-signature attachment: stored

• Previous message: Colin Percival: "Re: Reflections on Trusting Trust"
• In reply to: Colin Percival: "Re: Reflections on Trusting Trust"
• Next in thread: Alexander Leidinger: "Re: Reflections on Trusting Trust"
• Reply: Alexander Leidinger: "Re: Reflections on Trusting Trust"
• Reply: aristeu: "Re: Reflections on Trusting Trust"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Reflections on Trusting Trust ... >>that the build clients are secure. ... it leads users to think that the packages are more trustworthy than they ... signing what we think we're signing, but also that we're signing what the ... (FreeBSD-Security) Re: Reflections on Trusting Trust ... > Signing security advisories that sends the hashes for a file does a nice ... > belive we can't trust only on hashes for this (tar already does a fine job ... The important thing to keep in mind is that packages ... (FreeBSD-Security) Re: 4 CD set ... Kris Kennaway wrote: ... >>Yea I did download same via 56k and a few extras like Abiword via ADSL ... I guess it's the two official plus some extra packages ... (comp.unix.bsd.freebsd.misc) Re: FreeBSD 5.2.1 ... > Kris Kennaway wrote: ... > broadband who will burn stuff to CDs for me. ... Some of the OpenOffice packages are now buildable (there ... main package and not the localized packages, ... (comp.unix.bsd.freebsd.misc) Re: cleaning FreeBSD ... Kris Kennaway wrote: ... >>way to clean out old unused programming sections like this in FreeBSD 5.4? ... Okay so it won't tell me what packages they tied to. ... There should be a way to found out what pkg a file belongs to, ... (comp.unix.bsd.freebsd.misc)