freshmeat editorial about package management security issues
We're interested in presenting an editorial on freshmeat about
security issues related to package management systems, and were hoping
you would have the time to answer a few questions. If you don't have
time or if there's someone who would be better able to answer, please
let me know.
------------------------------------------------------------------------------
The popularity of apt and rpm has led to a large number of users
relying on automatic upgrades through their package management
systems. Old timers who insist on compiling everything from source
can be understandably concerned about the process of downloading a
binary and installing it with minimal admin intervention. The
convenience is bought at the price of trust in the system. How would
you answer the following questions? Do you agree or disagree that the
concerns they express are valid? If they are valid and are not
currently addressed, do you have any ideas about how the problems
could be fixed?
* What facilities does your package manager (or a third party add-on,
such as autorpm) provide for automatic upgrading of installed
packages?
* Who controls the package archives from which new packages are
downloaded? If it's possible for third party archives to be used,
does your package manager warn the user that packages are being
downloaded from somewhere other than the official source?
* Does your package manager support digital signatures that can
confirm that the package is from the packager it claims to be from
and has not been tampered with?
* Are there procedures in place to check for trojans/virii/etc. in the
original source package?
* Are there procedures in place to check for trojans/virii/etc. in the
package itself (for example, in the scripts used to install the
package)?
* If someone were to sneak a trojan into a package, it could spread to
thousands of machines overnight as admins performed automated
upgrades on their systems. If this were to happen, would it be
possible for you to prepare a package that would fix the problem on
the next dist-upgrade (not everyone reads security bulletins, so not
everyone will be aware that she's been compromised)?
* The answer to the previous question is naturally somewhat dependent
on the nature of the trojan. As a worst case scenario: Is it
possible for someone to insert a trojan into your upgrade stream
which would disable your package upgrade system on the client side,
making it impossible for you to distribute a fix through the normal
method?
* If the answer to the previous question is "yes", do you think it
would be beneficial to establish a class of protected packages which
can only be upgraded with packages that come signed by you?
------------------------------------------------------------------------------
That's a start, anyway; we may have more questions for you later as we
ponder your replies. :)
Thanks for your time!
Reply to: