leaks in our only-signed-software fortress
Hey.
I've decided that I think it's important to CC this d-d:
Debian has a good system of securing packages and making sure that only
signed stuff comes to the user.
Over time I've seen many holes in this:
- packages that are just wrapper packages, download something from
somewhere without doing any
hashsum checks at all
Some firmware packages, some font packages, documentation etc. is/was
like that.
- packages that eventually run some code which was downloaded
unsecured.
debootstrap used to be like that, pbuilder, and some others
- Some packages load and process content that could be secured but
(is/was) not.
IIRC the Contents Files are not signed and therefore e.g. apt-file
cannot secure this.
Of those who actually DID checks, there were several that used weak
checks (even though there was no
need to),... e.g. things like MD5 checks instead of something "better".
For many of those I've reported bugs (and I'm sure I didn't found a lot
of them, and I'm further sure
that new cases were introduced).
Some where closed, some where just ignored or denied.
Recently with the Web2.0 and AppStore/Marked/etc. hype, things got even
worse.
I've you wanna be cool, you cannot just distribute software that people
can get and install regularly.
You need some AppStore, where no user has any controll on
sources/security/etc. often you even cannot
control when updates happen.
Mainly via the browsers (Mozilla, Chromium) this shit has found it's
way into Debian.
Software installation bypasses the Debian archives but comes directly
from any internet source
and get's installed locally in the user's homedir.
For Firefox we have fortunately a good team, which does real packagin
of the extensions and the plugins.
And Mike and the FF maintainers do a good job in trying to integrate
Mozilla's extension crap into the
Debian way.
Nevertheless there are still holes from time to time,.. e.g. that FF
tried to update extensions installed
from a Debian package.
Now the GNOME guys (talking about upstream) seem to be the new kids at
the sandbox and when the've decided
to assimilate the world with GNOME shell they also needed kind of an
app store, I guess.
See my bug #660311.
Personally I decided to use GNOME-fallback, but via the meta-packages I
still got the GNOME shell... today
I've noticed that it silently installs an extension, which (I can only
assume this by the little
description) does some software installation/enabling for GNOME shell
from extensions.gnome.org.
To me this sounds more like a root-kit than a feature.
This rant is not (!!) about blaming our GNOME maintainers, who really
do some good job, ... I just hope to start
some discussion about how Debian should deal with such hype
developments ("Apps") which may be nice
for users, but not for security.
And also about the other mentioned "holes" in our beloved fortress that
allows only signed code
to get onto the system (unless of course you install something manually
:P)
I mean there would be many places in Debian, where security could be
improved... webservers shouldn't need a
fancy default-works-out-of-the-box config which displays some Hello
World pages... and actually, IMHO installing
a daemon should not mean that it's automatically enabled (speaking of
init scripts)... the config is likely
not yet finished/secured.
Well I doubt that things will change there... but we really should take
care on whom we allow to provide our
users with "external" software. Especially when this happens easily
without the control (or much interaction)
of the users and/or admin.
Cheers,
Chris.
Reply to: