Re: [gentoo-portage-dev] Portage and Update Security

["Rick \"Zero_Chaos\" Farina" <zerochaos@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3212 bytes --]

On 03/10/15 17:15, Vladimir Diaz wrote:
> Hi,
> 
> I am a developer in the Secure Systems Lab at NYU.  Our lab has
> collaborated with popular software update systems in the open-source
> community, including APT, yum, and YaST, to address security problems.
> More recently, we have been working on a flexible security framework
> co-developed with the Tor project that can be easily added to software
> updaters to transparently solve many of the known security flaws we have
> uncovered in software updaters.  We would like to work with The Portage
> Development Project to better secure the Portage distribution system.
> 
> TUF
> <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
> (The Update Framework) is a library that can be added to an existing
> software update system and is designed to update files in a more secure
> manner.  Many software updaters verify software updates with cryptographic
> signatures and hash functions, but they typically fail to protect against
> malicious attacks that target the metadata and update files presented to
> clients.  A rollback attack is one such example, where an attacker tricks a
> client into installing older files than those the client has already seen
> (these older files may be vulnerable versions that have since been fixed).
> A full list of attacks and weaknesses the framework is designed to address
> is provided here
> <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security>
> .
> 
> Our website <http://theupdateframework.com/index.html> includes more
> information about TUF, including: papers
> <https://github.com/theupdateframework/tuf/tree/develop/docs/papers> and a
> specification
> <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
> If you want to see how an existing project integrates TUF, there is a
> standards track proposal
> <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
> to the Python community that you can review.  A more rigorous proposal that
> requires more administrative work on the repository, but provides more
> security protections, is also available
> <https://www.python.org/dev/peps/pep-0480/>.
> 
> We were thinking of submitting a pull request that shows how such an
> integration would work.  So there hopefully won't be much leg work on your
> end apart from deciding how the system should be configured (key storage,
> roles, etc.).
> 
> Would a pull request be of interest?  Is there anything you'd like us to
> say more about?

I can't speak for the portage team, but I'm certainly interested to see
what you have to show.  Security should matter to everyone.

-Zero.
> 
> Thanks,
> Vlad
> 
> P.S.
> There are Informational <http://wiki.gentoo.org/wiki/GLEP:57> and Standards
> Track <http://wiki.gentoo.org/wiki/GLEP:58> GLEPs that reference our work
> and the security issues that our project addresses, but there hasn't been
> much recent activity on these proposals.
> 
> 
> --
> vladimir.v.diaz@gmail.com
> PGP fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
> --
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]