The d-i CVS repository on cvs.debian.org is back in business. All
pserver accounts have been disabled, and will have to be re-enabled on
request with new passwords. Send a NEW password hash to
joeyh@debian.org, encrypted with my private key. May take until tomorrow
before I begin enabling those. Debian developers should be able to
commit to the repo already. The anonymous pserver access should work.
Anything else on cvs.debian.org is not yet up, as far as I know.
Since the PTS is down, commit emails would be delayed or lost. I have
moved them to go directly to this mailing list, until the PTS comes back
up. If you were not subscribed to the commit emails on the PTS, this
will be some more traffic, sorry.
If anyone has known-good CD images for beta 1 of the installer, please
send me a gpg signed md5sum of anything you have. Until we can verify
them, they will not be going back online.
Now, for the future, cvs, particularly pserver commit access, is not
secure enough to keep using much longer. We will be migrating to
subversion, sometime after beta 2 is released; tenatively in the
beginning of Janurary.
For now, let's get synced up. I'm excited to see what you've all been
working on this past week.
Appendix A and B below explain how I verified the content of the CVS
repository and CVSROOT.
Appendix A: verifying the d-i CVS repository
After the recent compromise of gluck, it's possible that the attacker
made modifications to the d-i CVS repository. I used the following
technique to verify the HEAD *only* of the repository:
1. Created a tarball of the CVS repo from gluck. It is here:
http://gluck.debian.org/~joeyh/tmp/debian-installer.tar.gz
md5sum: c028b7d2c0041e84a64f0ac1381d4045
2. Downloaded Pierre Machard's CVS checkout, dated Wed Nov 19 18:56:13
2003, and verified his detached gpg signature of the file. I call
this tree pmachard-d-i-19-nov.
3. Restored a copy of the CVS repo from a backup I made of my laptop
to CD-ROM on Nov 24th. The newest file was dated Nov 22nd.
I call this tree joeyh-d-i-22-nov.
4. Downloaded a tarball of my d-i CVS checkout from kitenet.net.
This was last updated Nov 17th, and had only one minor, known,
uncommitted change. I call this tree kite-d-i-17-nov.
(NB: there is a trust relationship between my laptop and kitenet.net.
If my laptop were compromised, kitenet.net could be compromised
trivially, and if kitenet.net were compromised, my laptop could be
compromised with difficulty.)
5. As an unprivelidged user on a system running knoppix (paranioa), used
cvs to check out d-i HEAD from the gluck CVS repo. I call this tree
gluck-d-i
6. diff --exclude=CVS -ur --new-file between gluck-d-i and each of the
other three trees. Manually examined the differences:
pmachard-d-i-19-nov:
- There are 70 thousand lines of changes between this tree and
gluck-d-i. Leaving out the changes to po files, it is 7
thousand lines, which I read. All appear legitimate changes
made since 19 nov.
joeyh-d-i-22-nov:
- same story as pmachard-d-i-19-nov, excluding po files, it all
looked ok. Diff was much smaller, I'm more sure I missed
nothing in this one.
kite-d-i-17-nov:
- Again excluding po files, it checked out ok.
I am now reasonably convinced that d-i's CVS head was not compromised.
While it's possible that they modified some history, it should be safe
to put the repo online. Any branches in there (eg, the mrvn branch)
should be verified to their owner's satisfaction before being used.
If anyone wants to verify the repo using their own sources and a similar
procedure, or send me additional gpg signed tarballs of known-good d-i
checkouts to verify, that would still be good. Another means of
verification that I have not done but someone could is check individual
packages against the known-good source packages in the debian archive.
Of course if someone has a backup of the actual d-i cvs repo lying
around, that would be even better.
Appendix B: verifying debian-boot's CVSROOT
I also had to verify the debian-boot CVSROOT directory. I did this by
inspection. log.pl was removed because it contains exploitable uses of
files in /tmp. I don't trust a quick audit of dolog.pl, so I removed it
as well (the log message is incorrect, it does not have known /tmp
issues). d-i does not use dolog.pl, but debian-cd, boot-floppies, fair,
mkdconf, and tasksel did, and will not currently send logs anywhere
until someone updates them to use syncmail. syncmail was also removed
from CVSROOT, and loginfo modified to use the known-good one in /usr/bin
instead. newlog.pl was unused and deleted rather than waste time
checking it.
--
see shy jo
Attachment:
signature.asc
Description: Digital signature