Re: Reflections on Trusting Trust
From: aristeu (suporte_at_wahtec.com.br)
Date: 11/30/05
- Previous message: Alexander Leidinger: "Re: Reflections on Trusting Trust"
- In reply to: Kris Kennaway: "Re: Reflections on Trusting Trust"
- Next in thread: Qd=E1m_Szilveszter?=: "Re: Reflections on Trusting Trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kris Kennaway" <kris@obsecurity.org> Date: Wed, 30 Nov 2005 13:01:38 -0200
>> Yes and no. Fixing other potential security risks is good, but not if
>> it leads users to think that the packages are more trustworthy than they
>> really are. In particular, if we started distributing signed packages,
>> I suspect that most people would assume that the signatures guaranteed
>> that the packages were good, rather than simply ensuring that the
>> packages
>> hadn't been modified with after they were built.
>>
>> If we're going to sign anything, we need to ensure not just that we're
>> signing what we think we're signing, but also that we're signing what the
>> *end users* think that we're signing.
>
>Seems to me that ignorance and a false sense of security is bad
>wherever it appears, so all we can do is try our best to educate users
>about what they're getting.
I think that with a clear policy the ports and packages could be singned.
Something like a banner during installation of a port "This key ensures that
this port was made/arranged by an official freebsd port mantainer. The
freebsd security team does not take responsability for its contents since it
was not scrutinized by them. Good luck!", or, for packages, a similar
message saying the package was built on freebsd infrastructure, but the
freebsd team don`t take responsability fot its contents, bla, bla...
I don't know what kind of authentication with port mantainers do you have,
but I
think between you guys and the port mantainers must exist some good scheme.
This part is OK. now is just the freebsd server and end users part. Sign it
with a "ports system" secret key, and a public key pre-installed on clients.
The secret key well guarded on ports system core... Simple as that, it can
mitigate some problems.
I realy dont think signing things ensure that a port or package is secure,
but but makes a hell of a better job proving that it came from where it
saids it came than loose hashes. Other than that,
"security by omission", if exists this, won't solve anything.
I know the freebsd-update and portsnap (potsnap I just discovered in this
thread)
solutions are good. I'm wishing this to be the freebsd standard.
I don't wanna push things, and I know things don't work this way. I just
wanned to show an end user opinion, on the reflections topic... :)
that said, I'm gone....
Thanks and best regards,
--aristeu
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Alexander Leidinger: "Re: Reflections on Trusting Trust"
- In reply to: Kris Kennaway: "Re: Reflections on Trusting Trust"
- Next in thread: Qd=E1m_Szilveszter?=: "Re: Reflections on Trusting Trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
