Re: Bits from the CD team: plans for debian-cd v3.0
On Thu, 14 Jul 2005, Steve McIntyre wrote:
> On Tue, Jul 12, 2005 at 04:10:30PM +0100, Colin Watson wrote:
> >On Tue, Jul 12, 2005 at 05:23:39PM +0300, Steve McIntyre wrote:
> >> 10. Signed Release files - we need a way to generate signed Release
> >> files on CDs, or to make apt happy with _all_ CDs (which is
> >> probably dangerous).
> >The problem we (Ubuntu) encountered after experience with signed CDs is
> >that a lot of people want to customise a CD image they've got, and
> >Release signatures make it really painful to do that; not to mention
> >developers trying to test small modifications to those same CD images.
> >I'm not really convinced that making apt happy with all CDs is actually
> >dangerous. Distributed CD images can be verified in other ways (does
> >jigdo-lite look for signed md5sums? I could imagine making it do so, if
> >it doesn't already), and people work around CD image signatures so much
> >that I've come to believe that they're worse than useless. Michael Vogt
> >is working on a modification to apt to make it trust all CDs.
> Yes, this is a thorny area. I'm a little concerned - if we've gone to
> all the effort of adding signatures to the main archive, then it does
> seem to be ducking the problem to just trust all CDs. Allowing CDDs
> and redistributors to add new signatures as well should boost the
> security of the whole chain to the end user, too.
> Maybe I'm being paranoid, but it wouldn't be too hard to get a lot of
> users to to blindly install bad packages (e.g. from a trojanned cover
Please keep in mind that, if I would trojan some cover disc, it'd be quite
easy to modify/recompile apt (on that same CD!) to blindly trust my trojanned
disc or just everything. Come to think of it, since apt is necessarily run as
root during the install process, it would make an interesting place for the
trojan code itself.
Bottom line: a CD can never authenticate itself. A CD can only be securely
authenticated by completely external code. As in: provide a downloadable
Windows program that checks CDs prior to any installation action.
(And for really paranoid people: turn off autorun for CDs first.)
When thinking about security, always think the black-hat way. And remember
that "hard" and "impossible" are two quite different concepts.