[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

On Thu, 2014-06-12 at 08:58 +0200, Thijs Kinkhorst wrote: 
> > Anyone who believed in getting trusted sources might have been attacked
> > with forged packages, and even the plain build of such package might
> > have undermined users' security integrity.
> >
> > The same is the case with all debian build systems which probably rely
> > on secure APT.
> It's possible, yes, but you could have noted in that exploitation would
> still require someone to be able to successfully position themselves to
> perform mitm operations between different Debian machines, which is far
> from trivial to say the least.
Well I don't think it's that difficult either, is it?
It could be my local sysadmin here at the institute (not that he'd do
such things)... it could be any network provider,... and of course any
of NSA and their friends.

Of course if the later guys really want to break in they'll probably
find some way ... but we don't have to open the gates and make it
trivial for them.

> We (the security team) will contact the maintainer about a fix for stable.
> In the future, I suggest you familiarize yourself with the proper contact
> points when you want to raise an issue. The address for security issues is
> team@security.debian.org, not debian-devel. You're always welcome on
> #debian-security if you're unsure about how to handle an issue or where
> it's best reported.
Well this wasn't about the report that it's still open in stable
(actually I only noticed that when Joey mentioned it)... even the
requests for some proper communication to the users (via CVE and DSA)
are just a "side point"...

My main concern is how we can tighten security here and I think that
discussion belongs to debian-devel.
It's not that one person alone could go through all the relevant
packages and fix them... I think before anything like that makes sense,
some sane policy would be needed first, on how packages must behave,
- are tools allowed to do things unsecured unless the user explicitly
gives some very special flag (think of the example that (IIRC)
debootstrap doesn't do any verifications, when debian-archive-keyring is
not installed - IMHO behaviour like that should be banned)
- exit status behaviour (like tools giving 0, although some files like
Release* were ignored)
- etc. pp. (basically the things I've mentioned before)

> If you want to discuss your plans to work on improving APT, you're more
> on-topic at deity@lists.debian.org.
Well I knew of the APT list,... but as said... I think this goes beyond
just APT (even though APT is probably at the core)... or at least I
wouldn't consider things like [c]debootstrap, apt-list*, pbuilder, etc.
to be APT.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: