Re: Study: Attacks on package managers (inclusing apt)

To: Russ Allbery <rra@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Study: Attacks on package managers (inclusing apt)
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Fri, 18 Jul 2008 13:21:00 +0200
Message-id: <87zlofo2ub.fsf@frosties.localdomain>
In-reply-to: <8763r485ie.fsf@windlord.stanford.edu> (Russ Allbery's message of "Thu, 17 Jul 2008 16:17:45 -0700")
References: <1216306014.31418.6.camel@localhost> <20080717150835.GJ2712@mathom.us> <20080717153012.GT17993@pond.riseup.net> <87r69si9el.fsf@frosties.localdomain> <7ff145960807171254s5bee43b6keb26e7e2ecef924b@mail.gmail.com> <20080717210837.GN2712@mathom.us> <8763r485ie.fsf@windlord.stanford.edu>

Russ Allbery <rra@debian.org> writes:

> Michael Stone <mstone@debian.org> writes:
>> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>
>>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>>> and not only on a master, the various .gpg files and packages can, even
>>> though difficult, be modified on the single mirror.  IMHO, verification
>>> needs to have an alternate channel than the downloads.
>
>> If someone can modify gpg signatures we have a bigger problem that can't
>> be solved by any solution proposed thus far.
>
> You have to make sure the Release.gpg and Timestamp.gpg files are linked
> in some fashion, or the fake mirror will just update its Timestamp.gpg
> file from the real mirror regularly while leaving all other files the
> same.

Timestamp.gpg would be the signature for Release just like Release.gpg
is.

> In the debian-devel thread, the proposal was to instead resign Release.gpg
> and rely on the timestamp of its signature, which I think is a cleaner and
> simpler solution.

That would require the signing key to be online. For stable and
possibly security an offline key for manual signing is strongly
preferable.

MfG
        Goswin

PS: Instead of a timestamp.gpg the Release.gpg you have 2
signatures. One fixed manual one by the release team and one daily
automatic one by the automatic archive key.

Reply to:

References:
- Study: Attacks on package managers (inclusing apt)
  - From: Daniel Leidert <daniel.leidert.spam@gmx.net>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Michael Stone <mstone@debian.org>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Micah Anderson <micah@riseup.net>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Michael Stone <mstone@debian.org>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Study: Attacks on package managers (inclusing apt)
Next by Date: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Previous by thread: Re: Study: Attacks on package managers (inclusing apt)
Next by thread: Re: Study: Attacks on package managers (inclusing apt)
Index(es):
- Date
- Thread