Is Arch currently trustworth?

Gullible Jones · 2009-10-26 20:10:14

Okay, not to start a flame war or anything but... I know you guys got rooted not so very long ago. How do you now know that all the packages in the repositories are okay? I assume there were all rebuilt on a known safe machine, and the version number upped so that potentially compromised packages on users' machines would be replaced?

Also, what measures have been taken to prevent such a rooting from happening again?

sokuban · 2009-10-26 21:33:13

This is actually a good thing to bring up, and it represents one big problem with all Linux distributions. Are the repos safe? Even if they aren't rooted, what if the whole distro was made to steal credit card data from its users or whatever? I'm not saying Arch Linux is like that, but I always wondered what sort of defence you could use against those kind of stuff.

In the future when (if) Linux gets popular, there might be malicious distributions popping up like that and how would anyone know? Just use the popular distros? What if even the popular distros are in it?

And wait- what? We got rooted? When? Is my computer safe? O_o

Mr.Elendig · 2009-10-26 22:05:10

Gullible Jones wrote:

Okay, not to start a flame war or anything but... I know you guys got rooted not so very long ago. How do you now know that all the packages in the repositories are okay? I assume there were all rebuilt on a known safe machine, and the version number upped so that potentially compromised packages on users' machines would be replaced?
Also, what measures have been taken to prevent such a rooting from happening again?

The packages was not comprimised. The reason for why everything dissapered was a bad script.

There have been lots of discussions about package signing, but that would't really help in this case.

One thing that has been done, is seperating the web stuff from the rest, by using virtual machines, so a intrusion into the mainpage/forum/flyspray/whatever won't affect the packages and so on.

Last edited by Mr.Elendig (2009-10-26 22:12:08)

Themaister · 2009-10-26 22:13:57

You always have the possibility of building everything from source with ABS.

Last edited by Themaister (2009-10-26 22:14:06)

Pierre · 2009-10-26 22:23:28

Mr.Elendig wrote:

The packages was not comprimised. The reason for why everything dissapered was a bad script.
There have been lots of discussions about package signing, but that would't really help in this case.
One thing that has been done, is seperating the web stuff from the rest, by using virtual machines, so a intrusion into the mainpage/forum/flyspray/whatever won't affect the packages and so on.

No, the linked script did just prune the repo. But there was a breakin via flyspray. At that tie pacakges were checked against a local copy.

Anyway; package signing would help a lot. Its not just about the main server. There are a lot of mirrors and everything between to inject bad packages.

Mr.Elendig · 2009-10-26 22:25:50

Pierre wrote:

Mr.Elendig wrote:
The packages was not comprimised. The reason for why everything dissapered was a bad script.
There have been lots of discussions about package signing, but that would't really help in this case.
One thing that has been done, is seperating the web stuff from the rest, by using virtual machines, so a intrusion into the mainpage/forum/flyspray/whatever won't affect the packages and so on.
No, the linked script did just prune the repo. But there was a breakin via flyspray. At that tie pacakges were checked against a local copy.
Anyway; package signing would help a lot. Its not just about the main server. There are a lot of mirrors and everything between to inject bad packages.

That's what I ment. The scrip was why all the packages dissapered, not the breakin itself.

_dunmer · 2009-10-26 23:35:40

sokuban wrote:

This is actually a good thing to bring up, and it represents one big problem with all Linux distributions. Are the repos safe? Even if they aren't rooted, what if the whole distro was made to steal credit card data from its users or whatever? I'm not saying Arch Linux is like that, but I always wondered what sort of defence you could use against those kind of stuff.
In the future when (if) Linux gets popular, there might be malicious distributions popping up like that and how would anyone know? Just use the popular distros? What if even the popular distros are in it?
And wait- what? We got rooted? When? Is my computer safe? O_o

This is not about Linux, with this kind of a thinking, you can trust only software written by you .)

fsckd · 2009-10-27 02:14:14

Pierre wrote:

Anyway; package signing would help a lot. Its not just about the main server. There are a lot of mirrors and everything between to inject bad packages.

Arch can't be considered trustworthy until package signing is implemented. I can place my trust in the developers but I can not place my trust in the mirrors.

My suggestion, if anyone is willing, is to place the signature in the packages so that pacman -U can take advantage of the signing system. If I were to design it, I would have a new package format (perhaps *.pkg.sec) which would simply be a tar bundle of the old package type (*.pkg.tar.gz) and a signature file.

My 2 cents.

Allan · 2009-10-27 02:27:05

The implementation of package signing at the makepkg end is (mostly?) done. And pacman is about half way there. There have been several starts at implementing this, but everyone seems to get bored and never finish... So until someone steps up and actually gets this done, we will not have package signing.

axion419 · 2009-10-27 04:29:56

I think signing would be great, I also think a project like this is a great chance for http://bounty.archlinux.ca/ to make a difference. I mean, if its been started multiple times, maybe some incentive for the coders would help get it finished.

edit: Also there is a wiki page on this, http://wiki.archlinux.org/index.php/Pac … ge_signing

Last edited by axion419 (2009-10-27 04:30:59)

Allan · 2009-10-27 05:26:57

axion419 wrote:

I think signing would be great, I also think a project like this is a great chance for http://bounty.archlinux.ca/ to make a difference. I mean, if its been started multiple times, maybe some incentive for the coders would help get it finished.

Go ahead and submit it. I have previously suggested it here, but no-one seems up to actually writing the proposal.

Also there is a wiki page on this, http://wiki.archlinux.org/index.php/Pac … ge_signing

Another great example of how interest disappears after an initial push. Last real edit 4 months ago.

gog · 2009-10-27 05:52:21

I sync the database to arch's server but dl the packages from the mirrors.

I also use powerpill's segmented downloading... there's very little chance of getting an injected package, unless all servers are in conspiracy!

ngoonee · 2009-10-27 07:45:16

I seriously wonder about the paranoia inherent in the assumption that YOUR machine is a good target. Anyone here gives their chairs a shake before sitting down, just in case?

Some paranoia is good, but for a personal machine where my main concern is that I don't lose data rather than my boring life is open to some no-life hacker or big conglomerate, I'd worry much more about having high-integrity backups than some possible loopholes allowing external parties access to my machine.

shining · 2009-10-27 08:36:00

gog wrote:

I sync the database to arch's server but dl the packages from the mirrors.
I also use powerpill's segmented downloading... there's very little chance of getting an injected package, unless all servers are in conspiracy!

You just need to get malicious packages on the main rsync server.

shining · 2009-10-27 08:37:09

ngoonee wrote:

I seriously wonder about the paranoia inherent in the assumption that YOUR machine is a good target. Anyone here gives their chairs a shake before sitting down, just in case?
Some paranoia is good, but for a personal machine where my main concern is that I don't lose data rather than my boring life is open to some no-life hacker or big conglomerate, I'd worry much more about having high-integrity backups than some possible loopholes allowing external parties access to my machine.

I would agree if someone accessing your machine only affected the confidentiality and not the integrity of your data.
But that is obviously not the case

gog · 2009-10-27 08:48:41

shining wrote:

gog wrote:
I sync the database to arch's server but dl the packages from the mirrors.
I also use powerpill's segmented downloading... there's very little chance of getting an injected package, unless all servers are in conspiracy!
You just need to get malicious packages on the main rsync server.

Well if the head server is also up for grabs then I don't think package signing will satisfy the OP

new2arch · 2009-10-27 12:51:53

shining wrote:

ngoonee wrote:
I seriously wonder about the paranoia inherent in the assumption that YOUR machine is a good target. Anyone here gives their chairs a shake before sitting down, just in case?
Some paranoia is good, but for a personal machine where my main concern is that I don't lose data rather than my boring life is open to some no-life hacker or big conglomerate, I'd worry much more about having high-integrity backups than some possible loopholes allowing external parties access to my machine.
I would agree if someone accessing your machine only affected the confidentiality and not the integrity of your data.
But that is obviously not the case

I figure the chance of getting your system compromised thru man-in-the-middle-attacks via the mirrors is smaller than losing your data little by little, mostly gone unnoticed by bit rot & silent data corruption and hardware failures.

Dusty · 2009-10-27 16:04:42

Allan wrote:

axion419 wrote:
I think signing would be great, I also think a project like this is a great chance for http://bounty.archlinux.ca/ to make a difference. I mean, if its been started multiple times, maybe some incentive for the coders would help get it finished.
Go ahead and submit it. I have previously suggested it here, but no-one seems up to actually writing the proposal.

If someone were to do this, I would immediately contribute $50 of Schwag profits to the project. The conditions would have to be acceptance of the finished product by the developers, including the evil patch-eater, Dan McGee.

Dusty

shining · 2009-10-27 16:31:59

Dusty wrote:

If someone were to do this, I would immediately contribute $50 of Schwag profits to the project. The conditions would have to be acceptance of the finished product by the developers, including the evil patch-eater, Dan McGee.

Maybe this could go directly to Dan, he already did some work on it, and he kept repeating over the last two months he is willing to do this. But he still need some extra motivation I guess

Dusty · 2009-10-27 21:24:38

I can give it directly to Dan, but I'd rather see it as a bounty project so:

a) more people can donate
b) arch bounty can be tested and justified
c) people can help Dan

I have no problem with Dan or other developers doing bounty work, I just want the bounties to be well defined before donations are accepted, so there are fewer arguments when the work is completed.

Dusty

fsckd · 2009-10-27 23:17:21

Dusty wrote:

I can give it directly to Dan, but I'd rather see it as a bounty project so:
a) more people can donate
b) arch bounty can be tested and justified
c) people can help Dan
I have no problem with Dan or other developers doing bounty work, I just want the bounties to be well defined before donations are accepted, so there are fewer arguments when the work is completed.
Dusty

Wow, awesome. I will see if I have funds I can siphon from.

One condition I would like to see is a requirement the package signature verification be decoupled from the transport. But I guess that goes without saying.

hokasch · 2009-10-28 00:25:18

Wow, awesome. I will see if I have funds I can siphon from.
One condition I would like to see is a requirement the package signature verification be decoupled from the transport. But I guess that goes without saying.

First step would be that someone writes up a proposal to define the goals of this project - if you have clear conditions what package signing should provide, please go ahead and write one! (I'm out, no clue about it)

ngoonee · 2009-10-28 00:51:42

shining wrote:

ngoonee wrote:
I seriously wonder about the paranoia inherent in the assumption that YOUR machine is a good target. Anyone here gives their chairs a shake before sitting down, just in case?
Some paranoia is good, but for a personal machine where my main concern is that I don't lose data rather than my boring life is open to some no-life hacker or big conglomerate, I'd worry much more about having high-integrity backups than some possible loopholes allowing external parties access to my machine.
I would agree if someone accessing your machine only affected the confidentiality and not the integrity of your data.
But that is obviously not the case

Back-ups .

Seriously, an offline backup in some external hard disk and you're set.

axion419 · 2009-11-06 20:02:24

Alright I want to get something wrote of for the bounty. The main problem is that I am not very knowledgeable about the process of signing lol. Is basically seems the packages need to be signed with a key from maintainers and then verified by pacman. Here is my meager attempt so far, If people can please post up some more ideas for me I can do the actually writing up of the bounty.

Idea
The general idea would be to verify that all packages that are created by the maintainers maintain their data integrity throughout the process of being synced to mirrors and then onto our machines.
Goal
Implement a system where the packages are cryptographically signed by trusted maintainer keys and then verified by pacman when they are downloaded by a user. The maintainers should either have a gpg ( is there something better?) key that they share or their own individual keys that they use to sign package once they are created. The public keys should be able to downloaded enmass from Arch. The keys will be downloaded and the packages will be compared against the key that was used to create the packages. On the users end the keys could be downloaded, compressed and stored in a common directory. When keys are changed or a new developer is created the package manager would have to be able to compare the keys on the local host to the keys on the main key server.

Last edited by axion419 (2009-11-06 20:59:09)

Nezmer · 2009-11-06 20:50:48

Nothing to see here

Last edited by Nezmer (2009-11-06 20:51:32)

Arch Linux

#1 2009-10-26 20:10:14

Is Arch currently trustworth?

#2 2009-10-26 21:33:13

Re: Is Arch currently trustworth?

#3 2009-10-26 22:05:10

Re: Is Arch currently trustworth?

#4 2009-10-26 22:13:57

Re: Is Arch currently trustworth?

#5 2009-10-26 22:23:28

Re: Is Arch currently trustworth?

#6 2009-10-26 22:25:50

Re: Is Arch currently trustworth?

#7 2009-10-26 23:35:40

Re: Is Arch currently trustworth?

#8 2009-10-27 02:14:14

Re: Is Arch currently trustworth?

#9 2009-10-27 02:27:05

Re: Is Arch currently trustworth?

#10 2009-10-27 04:29:56

Re: Is Arch currently trustworth?

#11 2009-10-27 05:26:57

Re: Is Arch currently trustworth?

#12 2009-10-27 05:52:21

Re: Is Arch currently trustworth?

#13 2009-10-27 07:45:16

Re: Is Arch currently trustworth?

#14 2009-10-27 08:36:00

Re: Is Arch currently trustworth?

#15 2009-10-27 08:37:09

Re: Is Arch currently trustworth?

#16 2009-10-27 08:48:41

Re: Is Arch currently trustworth?

#17 2009-10-27 12:51:53

Re: Is Arch currently trustworth?

#18 2009-10-27 16:04:42

Re: Is Arch currently trustworth?

#19 2009-10-27 16:31:59

Re: Is Arch currently trustworth?

#20 2009-10-27 21:24:38

Re: Is Arch currently trustworth?

#21 2009-10-27 23:17:21

Re: Is Arch currently trustworth?

#22 2009-10-28 00:25:18

Re: Is Arch currently trustworth?

#23 2009-10-28 00:51:42

Re: Is Arch currently trustworth?

#24 2009-11-06 20:02:24

Re: Is Arch currently trustworth?

#25 2009-11-06 20:50:48

Re: Is Arch currently trustworth?

Board footer