> IMHO, Red Hat, Slackware, Irix, SunOS, Solaris, HPUX are NOT AS
> LIKELY to INSTALL a booby-trapped package.
Let's look at your assumptions.
> Since extraction, compilation, and testing are nominally done by an
> unprivelaged user (e.g. tool.bin)
That's a pretty big assumption.
> a booby-trap has to be clever enough to pass
> the fitness of purpose testing done by the tool manager.
The problem is that these other organizations have a smaller staff than
Debian with little time to spend on any one package. So you are assuming that
a tool manager (only one?) would see something that one of 150 less-overworked
Debian developers would not.
Or, you are assuming that a Debian developer gets onto the project
using fraudulent ID, and then corrupts a package.
> Users, groups, and permissions are used like doors.
I have worked as a Unix systems programmer since 1981, you do not
need to explain this. I do not call myself a "guru" simply because
people have no right to call themselves gurus, it is a title bestowed
> Author traceability is good, but a central certification authority
> implies either a substantial barrier to entry (the cost of certification
> process reliable enough for valuables), or a risk of forgery too high to
> protect valuables.
I agree that non-privileged installation is interesting, although to do
it right you need a _separate_ ID for every package. Otherwise, you
lump 100 packages into the same non-privileged ID and that one ID has
too much power. However, anyone who can write a script that does
something bad at installation time can as easily write a trojan-horse
that runs at program execution time. Trojans are easier to hide than
installation actions because the installation actions are invariably
shell or perl scripts while the trojans are buried in the source of a
large program or its executable. Any time a user executes a program
containing a trojan horse the privileges of that user are added to the
trojan's tool kit.
I would like to see a proposal for reduced-privilege installation using
dpkg/dselect . Feel free to write one and make a test implementation.
Unfortunately, I feel that Debian must bear the cost of certification
of maintainers and original authors. Unless I can tell someone I know
where a program came from, no other security procedures can be trusted
to have any effectiveness whatsoever.
Bruce Perens K6BP Bruce@Pixar.com 510-215-3502
Finger bruce@master.Debian.org for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6 1F 89 6A 76 95 24 87 B3
- Re: RPM
- From: Nicolás Lichtmaier <nick@Feedback.com.ar>