Re: debcheckroot v1.0 released

To: debian-security@lists.debian.org
Subject: Re: debcheckroot v1.0 released
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat, 05 Apr 2014 15:23:07 +0000
Message-id: <[🔎] 53401FDB.9010907@riseup.net>
In-reply-to: <[🔎] 533FCF36.1030505@gmail.com>
References: <110EC33D-D669-4CBD-AF59-BC8D3347428E@gmail.com> <[🔎] 533FCF36.1030505@gmail.com>

Hi Elmar!

This is a most interesting tool!

The opensuse logo on http://www.elstel.org/debcheckroot/ is confusing,
since this is a Debian tool. This might scare of interested people.

> As Debian package headers do not use to be signed

I think you are mistaken here or maybe I misunderstand. When you have a
Debian medium you trust (such as a Live DVD from a trusted source), we
can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as
trusted.

For example http://ftp.us.debian.org/debian/dists/jessie/InRelease and
http://ftp.us.debian.org/debian/dists/jessie/Release.gpg are gpg signed
by the Debian archive key. So when you run apt-get update followed by
apt-get download $packagename, you get a package that is signed by
Debian archive key. You can then unpack the package, create sha sums of
all it's contents and then compare with the installed system. Sure, it's
not perfect, but worth verifying this trust chain. It would be
better/cleaner/simpler to implement this if Debian would publish signed
sha sums files of all package contents. Lot's of opportunities to
improve Debian in order to implement such a feature here.

-

I once attempted to write a script that can be run from a Live DVD to
audit an installed Debian on hdd or to mount an image with Debian and to
audit that. That script can be found here:
https://github.com/Whonix/whonix-developer-meta-files/blob/master/deprecated_code/verify_build

This approach seemed futile to me. At least for now. There are too many
files, that are automatically generated created by postinst scripts. For
example /usr/lib/pymodules/python2.7/**/__init__.pyc gets automatically
generated. Even worse, the file is non-deterministic.

In future situation may improve:
https://wiki.debian.org/ReproducibleBuilds

It would also help if Debian had an OEM mode. Links to these discussions
can be found here:
http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000010.html

-

For Whonix, Verifiable Builds have been implemented, which is similar to
this tool:
http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000009.html

As a maintainer of Whonix and interested in that feature, I am naturally
interested in your tool.

> Why you should not use debsums

Please don't be so harsh on debsums. It's not for backdoor detection,
but great as a simple integrity check.

Cheers,
Patrick

Reply to:

Follow-Ups:
- Re: debcheckroot v1.0 released
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: debcheckroot v1.0 released
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: debcheckroot v1.0 released
  - From: Paul Wise <pabs@debian.org>

References:
- Re: debcheckroot v1.0 released
  - From: Elmar Stellnberger <estellnb@gmail.com>

Prev by Date: Re: debcheckroot v1.0 released
Next by Date: Re: debcheckroot v1.0 released
Previous by thread: Re: debcheckroot v1.0 released
Next by thread: Re: debcheckroot v1.0 released
Index(es):
- Date
- Thread