Re: Reflections on Trusting Trust


On Thu, 1 Dec 2005, Peter Jeremy wrote:

But this assumes the signer trusts the FreeBSD.org security: 

If you don't trust the FreeBSD Project you wouldn't run FreeBSD.

Without ssh access there's no way to insert a key into the CVS repository.

Assuming no security holes in the infrastructure... How can I tell that my private copy of the FreeBSD Project's CVS repository is the same as the one on whatever.FreeBSD.org?

I think this is actually the real core of the issue: what we want is improved confidence of safe delivery in the presence of limited attackers on the wire. That is, we would like to be able to tell the user that, yes, if they managed to get a first FreeBSD ISO in some uncorrupted form (from a trusted vendor, or even from an initially insecure download, which is what 99% will be), from then on they will get source updates generated using keying material that matches something on that ISO, only packages that generated using keying material that matches something on that ISO, etc. I agree with the basic concept that, despite the infrastructural complexities and desire to avoid promising more than we can really provide, that there are incremental transport and packaging improvements we can make that will provide for safer delivery of our parts to the user.

Whether it's using portsnap's signature mechanism, signatures on packages, an https download option for pulling down updates, SSL wrappings for cvsup, or whatever, it seems like we can do better. If we do go down the route of things like https, X509, and all that I think we should be very careful to distinguish the CERT chain and roots used for our own purposes, and for normal SSL use, such that if our update chain or package chain is compromised, it doesn't mean a FreeBSD user is immediately vulnerable to more general SSL attacks against other entities (ie., www.mybank.com).

Robert N M Watson
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Getting started with FreeBSD
    ... My opinion of FreeBSD is do not try to configure X-11 desktops and apps with it. ... the relationship between ports, packages and security. ... You can install the same metapackage in any Unix OS, if you love the bloat--uh, I mean functionality--or use another DE/WM to navigate around your desktop. ...
    (freebsd-questions)
  • Re: Getting started with FreeBSD
    ... Since you are already knowledgeable of X-11 apps on slackware, this opinion may not concern you. ... My opinion of FreeBSD is do not try to configure X-11 desktops and apps with it. ... the relationship between ports, packages and security. ... I am currently using firefox 1.5.0.1, which I keep seeing online is ...
    (freebsd-questions)
  • Re: [OT] Re: What Linux distribution to choose for learning Ruby and Ruby on Rails
    ... integrate gems in the package management system on *BSD? ... If you want all the gory details (and a sample of that great FreeBSD ... the FreeBSD administration is more consistant across software packages, ... usually next to indestructible in a server configuration. ...
    (comp.lang.ruby)
  • Re: Getting started with FreeBSD
    ... Since you are already knowledgeable of X-11 apps on slackware, ... built on FreeBSD 6.x and keeps the base enough as in the FreeBSD.org ... the relationship between ports, packages and security. ... I am currently using firefox 1.5.0.1, which I keep seeing online is ...
    (freebsd-questions)
  • Re: Total Newbie
    ... manage than Linux systems. ... And that however painful rebuilding very big and complex ports may be at ... through providing mainly prebuilt packages ... FreeBSD is much more open about the choice. ...
    (comp.unix.bsd.freebsd.misc)