[gentoo-dev] Idea about signing ebuilds

[gentoo-dev] Idea about signing ebuilds

[Alexander Holler]

Hello,

what do you think about signing the ebuilds and digests with gpg?

That would make it harder for blackhats to introduce a worm or something 
similiar (if they have got access to an rsync mirror).

My idea is to automatically sign the released ebuilds (before mirroring 
them) with a key of gentoo.org.

Then emerge could check the sign and could discard wrong ebuilds or just 
throws a warning (preferable customized with make.conf).

Just my 2 cents. ;)


Alexander

Re: [gentoo-dev] Idea about signing ebuilds

[Frank Tobin]

On Thu, 6 Jun 2002, Alexander Holler wrote:

> what do you think about signing the ebuilds and digests with gpg?

Since there are multiple ebuild-providers (in contrast to a single one,
ala official RedHat RPMs), you would need to develop a PKI.  Once you say
PKI, things get complicated quickly, and I do no think that the complexity
required satisfies a current need.  Simple digests as they are currently
done is much better, IMO.

-- 
Frank Tobin			http://www.neverending.org/~ftobin/

Re: [gentoo-dev] Idea about signing ebuilds

[Jean-Michel Smith]

On Thursday 06 June 2002 01:56 pm, Alexander Holler wrote:
> Hello,
>
> what do you think about signing the ebuilds and digests with gpg?
>
> That would make it harder for blackhats to introduce a worm or something
> similiar (if they have got access to an rsync mirror).
>
> My idea is to automatically sign the released ebuilds (before mirroring
> them) with a key of gentoo.org.
>
> Then emerge could check the sign and could discard wrong ebuilds or just
> throws a warning (preferable customized with make.conf).

I think it is an excellent idea, but then, that's easy for me to say since I'm 
not the one who would be burdened by the work of actually building a ring of 
trust and signing all the ebuilds.  

Having said that, it is clear that when new ebuilds are taken from bugzilla 
and put into the official CVS, the decision as to what goes in and what 
doesn't, and those who are allowed to commit to CVS, is a limited number of 
people.

It should be reasonably manageable to create a ring of trust amongst those who 
submit and distribute ebuilds, and the security benefits would be 
significant.

Unfortunately, as with most things, I suspect this will happen only AFTER 
someone slips a trojan through, as there is some amount of work in getting 
something like that setup and the developers have plenty of other things that 
are, for the moment anyway, more pressing. :-)

Just like backups, almost no one develops the habit until they've been bitten 
at least once. [grin]

Re: [gentoo-dev] Idea about signing ebuilds

[Ryan Phillips]

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

* Jean-Michel Smith <jsmith@kcco.com> [2002-06-06 15:30]:
> On Thursday 06 June 2002 01:56 pm, Alexander Holler wrote:
> > Hello,
> >
> > what do you think about signing the ebuilds and digests with gpg?
> >
> > That would make it harder for blackhats to introduce a worm or something
> > similiar (if they have got access to an rsync mirror).
> >

Here is a post I made a few weeks ago on this topic:
	http://forums.gentoo.org/viewtopic.php?t=3432&highlight=

-Ryan Phillips

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-dev] Idea about signing ebuilds

[Alexander Holler]

Hi,

--On Donnerstag, Juni 06, 2002 16:41:03 -0400 Frank Tobin 
<ftobin@neverending.org> wrote:

> On Thu, 6 Jun 2002, Alexander Holler wrote:
>
>> what do you think about signing the ebuilds and digests with gpg?
>
> Since there are multiple ebuild-providers (in contrast to a single one,
> ala official RedHat RPMs), you would need to develop a PKI.  Once you say

I didn't want to know that the ebuild builder is the correct one, I just 
want that the main server (gentoo.org) signs the ebuilds with his key. So 
only one key is needed.

> PKI, things get complicated quickly, and I do no think that the complexity
> required satisfies a current need.  Simple digests as they are currently
> done is much better, IMO.

If I want to fake a packet on one of the mirrors I just have to build a new 
packet (e.g. with a trojan), change the uri in the ebuild and build new 
digests (which anyone could do).

In the other case, the blackhat has to get the key from the main-server to 
change packets.
Or he needs to build and checkin a new packet, which I think would be 
discovered relatively quick (in contrast to a silent take over of on of the 
mirrors).

Re: [gentoo-dev] Idea about signing ebuilds

[Jeremiah Mahler]

On Thu, Jun 06, 2002 at 08:56:30PM +0200, Alexander Holler wrote:
> Hello,
> 
> what do you think about signing the ebuilds and digests with gpg?
> 
> That would make it harder for blackhats to introduce a worm or something 
> similiar (if they have got access to an rsync mirror).
> 
> My idea is to automatically sign the released ebuilds (before mirroring 
> them) with a key of gentoo.org.
> 
> Then emerge could check the sign and could discard wrong ebuilds or just 
> throws a warning (preferable customized with make.conf).
> 
> Just my 2 cents. ;)
> 
> 
> Alexander
> 
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev

The goal is to have packages that are of high quality.

One solution is to only allow one or a small number of trusted people to
change the packages.  Development is slow and it is safe from trouble
makers. Debian uses this solution.

Another solution is to let anyone submit and change packages.
Development is fast but it is not safe from trouble makers.

My solution is to allow anyone to submit changes but also have a rating
system in place to gauge the trust people should place on a package.
Development is fast and is safe from trouble makers.

Of course my solution is not clear cut. There are many possible ways to
measure the trust people should place on a package. If it is brand new
it should not be trusted. If it has been used by many people and they
think it is trustworthy than it can be trusted. If the changes were made
by a trusted developer than it can be trusted. etc...

I have used Debian for a long time and I would hate to see Gentoo become
plagued with the same problems they have.

-- 
Jeremiah Mahler
<jmahler@pacbell.net>

Re: [gentoo-dev] Idea about signing ebuilds

[Alexander Holler]

Hi,

--On Donnerstag, Juni 06, 2002 22:33:22 -0700 Jeremiah Mahler 
<jmahler@pacbell.net> wrote:

> The goal is to have packages that are of high quality.

That was not my intention. I just want to make the distribution a little 
safer against worm or virus infection.

Beside that, I'm of the opinion that the developer of the software knows at 
best the quality of it. And I think an ebuild is (or should) normally not 
more than calling configure, make and make install from the original 
package. It was allways a miracle for me, why a debian maintainer could 
know anything more about the stability of a package than the original 
developer. And because portage can handle more than one version of a 
package, it should be up to the user to decide which versions he wants.

I'm switched to gentoo because it offers me actual versions (compiled for 
my machine) with the comfort of just calling 'emerge package'.

Regards,

Alexander


PS: I would find it nice if someone would describe the USE-variable 'tests' 
in the appropriate places (e.g. portage manual). Maybe this would inspire 
some ebuild-designers to call 'make tests' (if that is offered) before 
installing. This could make the quality a bit higher. ;)

Re: [gentoo-dev] Idea about signing ebuilds

[Jeremiah Mahler]

On Fri, Jun 07, 2002 at 10:53:44AM +0200, Alexander Holler wrote:
> Hi,
> 
> --On Donnerstag, Juni 06, 2002 22:33:22 -0700 Jeremiah Mahler 
> <jmahler@pacbell.net> wrote:
> 
> >The goal is to have packages that are of high quality.
> 
> That was not my intention. I just want to make the distribution a little 
> safer against worm or virus infection.

To me, a package that has malicious code such as a "worm" or "virus" is
of "low quality".

> 
> Beside that, I'm of the opinion that the developer of the software knows at 
> best the quality of it. And I think an ebuild is (or should) normally not 
> more than calling configure, make and make install from the original 
> package. It was always a miracle for me, why a debian maintainer could 
> know anything more about the stability of a package than the original 
> developer. And because portage can handle more than one version of a 
> package, it should be up to the user to decide which versions he wants.

I agree with you on the fact that ebuilds should do the least amount
possible in order to get the job done.

If anyone can submit ebuilds and the only way a user can discern between
different ebuilds is by the version number than the following is true:
 1. an ebuild can contain malicious code (worm, virus, etc)
 2. nothing will prevent the user from using a malicious ebuild

> 
> I'm switched to gentoo because it offers me actual versions (compiled for 
> my machine) with the comfort of just calling 'emerge package'.
> 
> Regards,
> 
> Alexander
> 
> 
> PS: I would find it nice if someone would describe the USE-variable 'tests' 
> in the appropriate places (e.g. portage manual). Maybe this would inspire 
> some ebuild-designers to call 'make tests' (if that is offered) before 
> installing. This could make the quality a bit higher. ;)
> 
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev

-- 
Jeremiah Mahler
<jmahler@pacbell.net>

Re: [gentoo-dev] Idea about signing ebuilds

[Alexander Holler]

Hi Jeremiah,

--On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler 
<jmahler@pacbell.net> wrote:

> If anyone can submit ebuilds and the only way a user can discern between
> different ebuilds is by the version number than the following is true:
>  1. an ebuild can contain malicious code (worm, virus, etc)
>  2. nothing will prevent the user from using a malicious ebuild

Clearly, but I think everyone who's ebuild has made it into the 
distribution (or got signed) has at least a name and an email-address. ;)

So he isn't that anonymous that a blackhat needs or wants, if he wants to 
submit malicious code.

And if someone gets a key or access to cvs (or anything which allows him to 
distribute ebuilds) isn't such a great difference. We have to trust them 
anyway (as we have to trust those thousands of developers who are writting 
the programs).

To end that discussion (I think we both wants almost the same), I'm just at 
the point to start it simple (with one key for the server). It isn't much 
work and it it's no problem to extend that later.

Regards,

Alexander

Re: [gentoo-dev] Idea about signing ebuilds

[Ryan Phillips]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

* Alexander Holler <holler@ahsoftware.de> [2002-06-07 13:00]:
> Hi Jeremiah,
> 
> --On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler 
> <jmahler@pacbell.net> wrote:
> 
> >If anyone can submit ebuilds and the only way a user can discern between
> >different ebuilds is by the version number than the following is true:
> > 1. an ebuild can contain malicious code (worm, virus, etc)
> > 2. nothing will prevent the user from using a malicious ebuild
> 
> To end that discussion (I think we both wants almost the same), I'm just at 
> the point to start it simple (with one key for the server). It isn't much 
> work and it it's no problem to extend that later.

There is a problem with having one key.  If the server is going to sign its own 
ebuilds, then the password will have to be stored on the server.  If
the server is rooted or someone gets access to the key, then the
security is broken.

If there is only way key, then all the developers would need to know
the password, or have only one person sign the ebuilds.  Both are
unacceptable IMO.

The right way of doing this is to sign the gentoo developer's gpg
key with a master portage key, then check the signatures and trust
level on the key and package(s).

-ryan

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-dev] Idea about signing ebuilds

[Ryan Phillips]

* Ryan Phillips <rphillips@gentoo.org> [2002-06-07 16:09]:
> If there is only way key, then all the developers would need to know
> the password, or have only one person sign the ebuilds.  Both are
> unacceptable IMO.
> 

Sorry about that... applications don't proof read :)

s/way/one