[gentoo-security] Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)

[Chris Frey <cdfrey@netdirect.ca>]

On Sun, Nov 07, 2004 at 03:40:46PM +0000, Kurt Lieber wrote:
> As another poster already noted, of course it is, but it's not specific to
> Gentoo.  What happens if the server hosting the master repository of glibc
> gets compromised?  How do you know that hasn't already happened and there's
> back doors galore on your machine right now?  That may seem like a
> smart-ass question, but stop for a moment and consider it seriously.  How
> do you *KNOW* that there are no backdoors in the version of glibc on your
> computer right now?  

You don't.  But that's like saying there's no point in closing the front
door since the bedroom window might be open.  If the front door is closed
and locked, then at least we can pay more attention to the open window.

Plus, the glibc ebuild maintainer should be tracking the changes.  He knows
what's going on in glibc land, he knows the build process, he should be
in touch with the main developers, and he should be reading the diffs.

If he doesn't have the time or skill to do that, he can at least compare
against the work of people who do, such as the source packages of Debian
or Fedora Core.  It is pretty easy to do a diff.

Plus #2: both the glibc tarballs and the source packages of other distros
are signed.  The glibc maintainer should have all those signatures on hand,
if needed, and be verifying them all before he puts the entire Gentoo
user base at risk.

I think this point is a red herring.

> >  (2) Are there plans for getting it fixed?
> 
> We already implemented a major change nearly a year ago by moving
> 'rsync.gentoo.org' onto servers that are managed by the Gentoo team.
> Previously, we relied on community mirrors which worked well, but didn't
> allow us to ensure the servers were all held to the same high security
> standard. 

Excellent.

> We've also taken a number of other steps to mitigate this type of exposure
> including getting GPG signing into portage and the creation of an auditing
> project which reviews the ebuilds and code used in our distribution.

Fantastic.

> > I have read some of the material Alexander hyper-linked to
> > and, frankly, most of it is outright frightening.
> 
> Then you should immediately unplug your computer from the internet.  The
> minute you jack in, you're accepting some level of risk.  That's just the
> nature of the beast.

That's rather condescending.

I would instead recommend that he compare Gentoo to other distros that take
package signing more seriously.  It may be that the features and benefits
of a source-based distro like Gentoo outweigh the need for signed ebuilds,
like it does for me on one of my machines.  But it also may mean that
some machines require the security and peace of mind of another distro's
signing practices and verification policies.  Other machines I admin
fall into this category as well.

- Chris


--
gentoo-security@gentoo.org mailing list