[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

apt 0.6 and how it does *not* solve the problem

I've been giving APT 0.6 a lot of thought lately and have come to
the conclusion that it is a whole lot of snake oil in the context of
the Debian project as we have it. Bear with me for a second... I am
not about to take the piss out of the APT 0.6 people, who have done
an outstanding job. The problem is deeper...

From my understanding, APT 0.6 checks MD5 sums all the way up to the
Releases file[0], which is signed with the archive key. So far, so
good, assuming that the local APT keyring only contains the current
Debian archive key, the chain of trust ensures that any package that
verifies locally was uploaded to the archive by someone in control
of a trusted Debian developer key (assuming ftp-master.d.o and
similar machines weren't compromised).

My problem is not with the technology of APT 0.6 but rather with our
project. If I may eyeball it, then we consist of 1000 developers of
which about 600 are active. 300 participate half-heartedly, 70 do
not anymore, and 30 have stopped caring about Debian and possibly
computers altogether. In the latter case, the chance of a compromise
of their GPG key is incredulously high. But even without the
assumption... with 1000 keys, the chances of one being compromised
are extremely high. I know that most of us actually guard the keys
properly, but I am more than sure that plenty developers exist that
do not know how to handle GPG keys securely (think about all the
private keyrings found on gluck and other machines).

So if I wanted to attack 80% of all Debian machines all over the
world, I would try to compromise one of the 1000 keys, thereby
getting write access to the incoming queue. Then, I could NMU
a package and upload a trojaned version, best one that waits a year
before activating, just to make sure I actually hit stable.
Obviously, I'd take something like ssh and wait for Colin to take
time off, then change the maintainer address and effectively hijack
the thing to make sure Colin never sees a katie announcement. If
I get the timing right, I might be able to hit the freeze time.

I realise that there's a lot of stuff that has to happen for it all
to work out, but I also realise that it's not impossible, despite
the low chance. And that's enough for me.

So I guess this email isn't about APT 0.6, which does what it should
and does so well. It's more about the dangers of having 1000 keys
allowing write access to the archive, and noone capable of
playing sheriff with the size of the project anymore.

Debian did not have package signatures for years, and it's been
rarely a problem. Now we are going to add them, but the sole effect
is that of a false security feeling. To me, APT 0.6 is snake oil,
which is *not* an offence to the guys behind apt-secure. It's
a criticism of the organisation as a whole, and it's a rant without
a solution that I can propose.

I think, adding package signatures will actually make Debian less
secure than it was before, although it's doubtful that the average
user will notice or care.

I'd be interested to hear your thoughts.

Please do not CC me when replying to lists; I read them!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: