[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

leaks in our only-signed-software fortress


I've decided that I think it's important to CC this d-d:
Debian has a good system of securing packages and making sure that only signed stuff comes to the user.
Over time I've seen many holes in this:
- packages that are just wrapper packages, download something from somewhere without doing any
  hashsum checks at all
Some firmware packages, some font packages, documentation etc. is/was like that. - packages that eventually run some code which was downloaded unsecured.
  debootstrap used to be like that, pbuilder, and some others
- Some packages load and process content that could be secured but (is/was) not. IIRC the Contents Files are not signed and therefore e.g. apt-file cannot secure this. Of those who actually DID checks, there were several that used weak checks (even though there was no
need to),... e.g. things like MD5 checks instead of something "better".

For many of those I've reported bugs (and I'm sure I didn't found a lot of them, and I'm further sure
that new cases were introduced).
Some where closed, some where just ignored or denied.

Recently with the Web2.0 and AppStore/Marked/etc. hype, things got even worse. I've you wanna be cool, you cannot just distribute software that people can get and install regularly. You need some AppStore, where no user has any controll on sources/security/etc. often you even cannot
control when updates happen.

Mainly via the browsers (Mozilla, Chromium) this shit has found it's way into Debian. Software installation bypasses the Debian archives but comes directly from any internet source
and get's installed locally in the user's homedir.

For Firefox we have fortunately a good team, which does real packagin of the extensions and the plugins. And Mike and the FF maintainers do a good job in trying to integrate Mozilla's extension crap into the
Debian way.
Nevertheless there are still holes from time to time,.. e.g. that FF tried to update extensions installed
from a Debian package.

Now the GNOME guys (talking about upstream) seem to be the new kids at the sandbox and when the've decided to assimilate the world with GNOME shell they also needed kind of an app store, I guess.
See my bug #660311.

Personally I decided to use GNOME-fallback, but via the meta-packages I still got the GNOME shell... today I've noticed that it silently installs an extension, which (I can only assume this by the little description) does some software installation/enabling for GNOME shell from extensions.gnome.org.
To me this sounds more like a root-kit than a feature.

This rant is not (!!) about blaming our GNOME maintainers, who really do some good job, ... I just hope to start some discussion about how Debian should deal with such hype developments ("Apps") which may be nice
for users, but not for security.
And also about the other mentioned "holes" in our beloved fortress that allows only signed code to get onto the system (unless of course you install something manually :P)

I mean there would be many places in Debian, where security could be improved... webservers shouldn't need a fancy default-works-out-of-the-box config which displays some Hello World pages... and actually, IMHO installing a daemon should not mean that it's automatically enabled (speaking of init scripts)... the config is likely
not yet finished/secured.
Well I doubt that things will change there... but we really should take care on whom we allow to provide our users with "external" software. Especially when this happens easily without the control (or much interaction)
of the users and/or admin.


Reply to: