freshmeat editorial about package management security issues

To: apt@packages.debian.org, djb@redhat.com
Cc: freshmeat development list <fm-dev@lists.freshmeat.net>
Subject: freshmeat editorial about package management security issues
From: jeff covey <jeff.covey@pobox.com>
Date: Fri, 5 May 2000 10:42:46 -0400
Message-id: <[🔎] 20000505104246.A22125@plaything.smart.net>
Reply-to: jeff covey <jeff.covey@pobox.com>

We're interested in presenting an editorial on freshmeat about
security issues related to package management systems, and were hoping
you would have the time to answer a few questions.  If you don't have
time or if there's someone who would be better able to answer, please
let me know.

------------------------------------------------------------------------------
The popularity of apt and rpm has led to a large number of users
relying on automatic upgrades through their package management
systems.  Old timers who insist on compiling everything from source
can be understandably concerned about the process of downloading a
binary and installing it with minimal admin intervention.  The
convenience is bought at the price of trust in the system.  How would
you answer the following questions?  Do you agree or disagree that the
concerns they express are valid?  If they are valid and are not
currently addressed, do you have any ideas about how the problems
could be fixed?

* What facilities does your package manager (or a third party add-on,
  such as autorpm) provide for automatic upgrading of installed
  packages?
* Who controls the package archives from which new packages are
  downloaded?  If it's possible for third party archives to be used,
  does your package manager warn the user that packages are being
  downloaded from somewhere other than the official source?
* Does your package manager support digital signatures that can
  confirm that the package is from the packager it claims to be from
  and has not been tampered with?
* Are there procedures in place to check for trojans/virii/etc. in the 
  original source package?
* Are there procedures in place to check for trojans/virii/etc. in the 
  package itself (for example, in the scripts used to install the
  package)?
* If someone were to sneak a trojan into a package, it could spread to 
  thousands of machines overnight as admins performed automated
  upgrades on their systems.  If this were to happen, would it be
  possible for you to prepare a package that would fix the problem on
  the next dist-upgrade (not everyone reads security bulletins, so not 
  everyone will be aware that she's been compromised)?
* The answer to the previous question is naturally somewhat dependent
  on the nature of the trojan.  As a worst case scenario:  Is it
  possible for someone to insert a trojan into your upgrade stream
  which would disable your package upgrade system on the client side,
  making it impossible for you to distribute a fix through the normal
  method?
* If the answer to the previous question is "yes", do you think it
  would be beneficial to establish a class of protected packages which 
  can only be upgraded with packages that come signed by you?
------------------------------------------------------------------------------

That's a start, anyway; we may have more questions for you later as we 
ponder your replies.  :)

Thanks for your time!

Reply to:

Follow-Ups:
- Re: freshmeat editorial about package management security issues
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Bug#63577: Typo in algorithms.cc
Next by Date: Re: freshmeat editorial about package management security issues
Previous by thread: Bug#63577: Typo in algorithms.cc
Next by thread: Re: freshmeat editorial about package management security issues
Index(es):
- Date
- Thread