Re: concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner <hans@at.or.at>]

On 07/14/2014 01:12 PM, Michael Stone wrote:
> On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
>> One place that this will help a lot is managing completely offline machines,
>> like machines for running secure build and signing processes.  Right now, in
>> order to install a package securely on an offline machine, I have to make sure
>> that the apt-get cache is no older than two weeks, otherwise apt-get considers
>> the info expired and no longer trusted.  It make sense to have a listing of
>> packages and updates expire.  It does not make sense to have the signature on
>> an individual package expire.  Debian does not provide the later option.
> 
> Or, you could make use of the Check-Valid-Until and Min-ValidTime options in
> apt.conf. There's a reason things are done the way they are, and you probably
> aren't going to find a lot of interest in getting people to do a lot of work
> to create a system which is duplicative at best and less secure at worst.
> 
> Mike Stone

Sure, those options would work well for people who understand them and want to
tweak them. I'm not interested in that.  I'm currently working on a
TAILS-based system for running build and signing processes on machines that
_never_ go online.  So that means that changing the apt config is not an
option.  I'm working with apt-offline currently and that helps a lot.

TAILS is a live CD, but provides a method of installing and maintaining new
packages on top of what is provided by the live CD.  That means those packages
are stored in an encrypted stash, and are installed on each boot.  So in order
to use this feature, the apt cache needs to be refreshed using apt-offline at
least every two weeks, otherwise the packages won't be installed since apt can
no longer validate them.

Having a system that verifies existing .deb files against their own signature
would eliminate this problem entirely.  The apt expiration is only meant to
protect against network attacks, so having to work around the expiration on a
completely offline machine only complicates the process of running an offline
machine, which also has security ramifications.

For more info:
https://dev.guardianproject.info/projects/psst/wiki/CleanRoom
https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html
https://tails.boum.org/blueprint/remember_installed_packages/
https://labs.riseup.net/code/issues/7208

.hc