From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 698AF138CA3 for ; Fri, 6 Mar 2015 00:56:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 640E4E0886; Fri, 6 Mar 2015 00:56:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BC959E0884 for ; Fri, 6 Mar 2015 00:56:12 +0000 (UTC) Received: from [192.168.1.11] (pool-173-71-165-192.pitbpa.fios.verizon.net [173.71.165.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zerochaos) by smtp.gentoo.org (Postfix) with ESMTPSA id 6757B3406B7 for ; Fri, 6 Mar 2015 00:56:11 +0000 (UTC) Message-ID: <54F8FB24.5060906@gentoo.org> Date: Thu, 05 Mar 2015 19:56:04 -0500 From: "Rick \"Zero_Chaos\" Farina" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-portage-dev@lists.gentoo.org Subject: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers References: <54F86D04.3060804@whonix.org> <54F87698.5010104@gentoo.org> <54F8AB17.6050508@whonix.org> In-Reply-To: <54F8AB17.6050508@whonix.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fmHMJco2gGfQF4Bj6WTbnJkdr3sdvXd9n" X-Archives-Salt: 74c3deca-2f76-4652-842c-ebe36f33ffed X-Archives-Hash: 419be4262045f8fbfcaced75f41320a7 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fmHMJco2gGfQF4Bj6WTbnJkdr3sdvXd9n Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/05/15 14:14, Patrick Schleizer wrote: >> I used the footnote numbers to reference the attacks. >=20 > I am afraid, this might cause some confusion. The numbers you have used= > won't stay stable. Those were autogenerated numbers of footnotes. As > footnotes change, these numbers change. To keep your post > understandable, I created a snapshot before modifying footnotes: > http://www.webcitation.org/6Wo9Cb2ox >=20 > However, numbers (1), (2), (3), etc. that won't be automatically > changed, have just been added now. HA, my fault, sorry about that. >=20 > Actually, I was aware of it. The issue is, signing is not everything. > Signatures need a validity range. Otherwise mirrors can also show half = a > year etc. old signatures that are valid. See also: > http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.h= tml >=20 >> attacks 3, 11, and 12. >=20 > There was no attack 3. Now, before we talk past each other, would you > mind to repost by referencing attack by name or by their new, "real" > numbers? Well now there is an attack 3 :-) webrsync-gpg would ALERT the user in the case of attack 3. Portage checks the timestamp file from inside the gpg signed snapshot and alerts the user if the last sync was too long ago. In the case of a freeze attack, it should alert the user that the sync is old. Not that it fixes the attack, but it won't go unnoticed for long. Likewise, webrsync-gpg would also completely prevent 7 and 8. The snapshot is the entire tree, so it is not possible to "mix and match" without modifying the signed tarball. Nor would it be possible to provide the user with the wrong package since the checksums from inside the signed portage tarball wouldn't match if the source package was traded for a different one. Attack 8 shouldn't work either, as the checksums for everything are protected in the gpg signed portage tarball it should not be possible to trade out a source tarball for a different one. While gentoo doesn't typically use binary packages, it does have the support for it. Nothing in the binary package installation is protected by signatures, so I would expect this kind of attack to be possible when installing a binary package. Might be non-trivial to do, but certainly possible. Attack 9 won't work either, assuming the user can avoid the freeze attack (3) the user will have an up to date knowledge of what it expects on the mirrors and will simply ask other mirrors for the right file in case of 404 or bad checksum. tl;dr webrsync-gpg is a built in feature of the package manager which OPTIONALLY adds a significant amount of security against the attacks described on your website. This is not currently the default setting, however, it is described in many hardening guides for gentoo and widely used among the security conscious. -Zero_Chaos --fmHMJco2gGfQF4Bj6WTbnJkdr3sdvXd9n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU+PspAAoJEKXdFCfdEflKOG8QAIERZz5Wrw/WArIufL7cO3Ye NOahPYl4gQgSGVUyfi+T2mA2NvxJMuhpIB7hgSA759TIt7pBg2+1twPHu1Lfodzo fqH7KA5NnCqL0cx1I592qB1X+910oa3i5DsYVrARuZEGTQ2VFQlOPjcbuEtIYu3g vVum4EA6pBzrsWOVeMw1xic5Iwei6lHsVXcDtveY3b6OwOgc7m4JvLU72jLDBSqc 78L5OCzpSntGFewhtIde4xGQrcUmiS+unYDOAxKxcEWIRWku4uu+LndMQR5a9Kh2 bLMxfIzCinVMHSbVO3lIQcx28z+UzKeqwxvaQooJACcqqIQ7x1VG5nw/SmTY+9QD EEm64g2ifF2KzQMKWLBynSgoBXKeZU5LO+1j/DXk/Kwlberr4eI/g4Dwo+2oUZ5i YLgxKqSV110kjbTyvGqOnkwswj5yU+JCDVs54KtTxb+qXzQNxylcxgItz/HOf5YV S67qFe5T1w8O7G4khOLH6n9oOC6z6XRMSwJbdgyggU9SFdGReDUhi3GwlQv7i0HJ tgM3paEpdHMJsJhzq5uMCn0FIHED2CKrvnPJIybWyQg1f9ap62h13G+ZphDutL7q gWg3ZdlweYyfrfOqmIIRRhJRg8c24X+8h/gYFl/DUiWYRKI7mcO49qKBo4j0//RA alxFWLbxbVcnUC8PZ+J9 =GOhd -----END PGP SIGNATURE----- --fmHMJco2gGfQF4Bj6WTbnJkdr3sdvXd9n--