You are not logged in.

#1 2011-03-19 08:03:48

Fingel
Member
Registered: 2009-02-28
Posts: 98

Arch Package Signing issue getting big on Reddit

Hey all,
This post has been getting a lot of attentions since it was written 2 days ago. Worth a read.
0wning Arch: Why package signing is important.
Definitely worth a read, although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.


# edit: descriptive title added

Last edited by jasonwryan (2011-03-21 04:10:39)

Offline

#2 2011-03-19 08:57:07

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: Arch Package Signing issue getting big on Reddit

Fingel wrote:

Definitely worth a read, although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.

Yes, that seems to be the general consensus at this point. I would also be more anxious about someone stealing my passwords on an ARP-poisoned network than getting me to install manipulated Arch packages.


ᶘ ᵒᴥᵒᶅ

Offline

#3 2011-03-19 09:15:55

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: Arch Package Signing issue getting big on Reddit

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

Last edited by wonder (2011-03-19 09:18:05)


Give what you have. To someone, it may be better than you dare to think.

Offline

#4 2011-03-19 09:17:50

SanskritFritz
Member
From: Budapest, Hungary
Registered: 2009-01-08
Posts: 1,923
Website

Re: Arch Package Signing issue getting big on Reddit


zʇıɹɟʇıɹʞsuɐs AUR || Cycling in Budapest with a helmet camera || Revised log levels proposal: "FYI" "WTF" and "OMG" (John Barnette)

Offline

#5 2011-03-19 10:13:03

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Arch Package Signing issue getting big on Reddit

Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.

I take two sugars and some milk. Thanks :-)

Offline

#6 2011-03-19 10:17:48

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: Arch Package Signing issue getting big on Reddit

karol wrote:

Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.

I take two sugars and some milk. Thanks :-)

It's probably the same as this: https://bbs.archlinux.org/viewtopic.php?id=115137


ᶘ ᵒᴥᵒᶅ

Offline

#7 2011-03-19 10:25:18

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Arch Package Signing issue getting big on Reddit

litemotiv wrote:
karol wrote:

Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.

I take two sugars and some milk. Thanks :-)

It's probably the same as this: https://bbs.archlinux.org/viewtopic.php?id=115137

OK, I diffed them myself and I'm positive they're the same.

Now I'm going to make myself some coffee and have a good day anyway.

Offline

#8 2011-03-19 10:26:47

Awebb
Member
Registered: 2010-05-06
Posts: 6,268

Re: Arch Package Signing issue getting big on Reddit

If all the minutes spent in writing board posts and blog entries about signed packages were spent in writing and submitting patches (and concepts for mirrors etc) we'd already have signed packages. I don't know how many patches are sent in. say, every month, but I'd bet we have three times the threads and rants.

Offline

#9 2011-03-19 11:57:11

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: Arch Package Signing issue getting big on Reddit

wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

so nice and polite...

Offline

#10 2011-03-19 15:05:20

Fingel
Member
Registered: 2009-02-28
Posts: 98

Re: Arch Package Signing issue getting big on Reddit

wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

It's not my blog. Why would I disagree with my own blog? Since you asked, here's the  "damn Reddit link"
Don't be such a typical dev wonder tongue

Offline

#11 2011-03-19 15:49:44

flamelab
Member
From: Athens, Hellas (Greece)
Registered: 2007-12-26
Posts: 2,160

Re: Arch Package Signing issue getting big on Reddit

bangkok_manouel wrote:
wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

so nice and polite...

I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

Last edited by flamelab (2011-03-19 15:50:58)

Offline

#12 2011-03-20 01:55:49

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: Arch Package Signing issue getting big on Reddit

flamelab wrote:
bangkok_manouel wrote:
wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

so nice and polite...

I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

ok my bad, makes more sense in context but that was a bit shocking at first. thanks for taking the time to explain.

Offline

#13 2011-03-21 03:35:04

ssri
Member
Registered: 2010-02-16
Posts: 216

Re: Arch Package Signing issue getting big on Reddit

Really, this stuff should be taken up in pacman-dev if anyone wants this accomplished.  Maybe there should be an open thread in TGN about this if people want to get it off their chests. **checking** Whoops, there was... before it got locked..

//In before this one goes by the way of the dodo...

Offline

#14 2011-03-21 03:44:42

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: Arch Package Signing issue getting big on Reddit

ssri wrote:

Really, this stuff should be taken up in pacman-dev if anyone wants this accomplished.  Maybe there should be an open thread in TGN about this if people want to get it off their chests. **checking** Whoops, there was... before it got locked..

//In before this one goes by the way of the dodo...

This seems a good place for a mod to interject smile.

Yes there was such a thread, and it has since been removed. This wasn't because of the subject matter, but because of how it was being dealt with. Stating opinions on security etc. is fine, but the discussion on the removed threads had turned to ranting about how "pacman's devs are irresponsible" and other similar opinions (including that the lack of signed package was part of some sort of conspiracy against the concept).

Feel free to discuss the topic, but remember that the Arch community is in the end a community, not a place to rant. Serious discussion (including all technical implementation details) belong on the [pacman-dev] list, as with any other topic of this nature.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#15 2011-03-21 06:24:43

ANOKNUSA
Member
Registered: 2010-10-22
Posts: 2,141

Re: Arch Package Signing issue getting big on Reddit

flamelab wrote:
bangkok_manouel wrote:
wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link smile

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

so nice and polite...

I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

He's been spamming Linux-related forums for the last several weeks about this issue, just generally rabble-rousing.  From what I've seen, the guy may have done the community a favor, since numerous respondents have basically said "I was gonna try Arch 'cuz a friend of a friend said it was cool, but wasn't aware of this issue or how Arch worked, and now I'm scared and don't think I'll bother."  Basically diverting the intellectually lazy away from Arch.  He claims to have come up with an easily-implemented solution; however, he also claims the devs have basically blown his brilliant idea off. And he can't be bothered to patch and repackage pacman and sign some packages himself (as an open and observable test-case) despite supposedly having the resources and skills necessary to do so.

Offline

#16 2011-03-21 08:12:29

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Arch Package Signing issue getting big on Reddit

ANOKNUSA wrote:

...Basically diverting the intellectually lazy away from Arch.

Maybe he's not the total-tool (tm) I thought he was tongue

Seriously, I wish this guy would just drop this bone he keeps chewing on. This is the point of free software; you are free to use it if it suits your needs. If it doesn't, then you have a choice:
1) Fix it yourself.
2) Use something else.
Winging, screaming, ranting and raving at people who owe you NOTHING will solve absolutely nothing.

Offline

#17 2011-03-21 08:50:09

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: Arch Package Signing issue getting big on Reddit

I'd like to remind all forum members that forum rules on appropriate behaviour apply just as much whether the 'target' of a post is Arch-related or opposed to Arch smile. Not targetted at any particular posting above this one, just a general notification.

The user in question here, while raising various accusations and quite a few complaints, has also written a tool which does chip away at the problem (paccheck - http://aur.archlinux.org/packages.php?ID=46763 ), so at the very least he's not just purely out to create havoc and destruction.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#18 2011-03-21 10:42:38

keenerd
Package Maintainer (PM)
Registered: 2007-02-22
Posts: 647
Website

Re: Arch Package Signing issue getting big on Reddit

The following views do not reflect a dev/TU consensus and are entirely my own.

If you are a dev/TU who is curious about signing there nothing stopping you from signing your packages.  I signed all the packages I've built (all three, meaning 0.06% repository coverage).  Sign your packages, post the sigs (and your pubkey) somewhere.

A signature is just a really big number.  "Signing" can refer to either simply the existence a verifiable number, or to having an entire infrastructure for automatically generating/sharing/confirming the really big numbers.  We can do signing with just the first.  You don't have to wait for an automagic tool, you can do it yourself by hand.  Odd that I have to explain that to Archers, but hey :-)

It is simple.  Get your packages onto your computer.  Preferably by building them locally.  Then run

find ./ -name '*.pkg.*' | xargs -n 1 gpg -b
scp *.sig foosite:/sigpath/

That will make a bunch of detached .sig files.  Upload those anywhere and tell people.  Mine are at http://pkgbuild.com/~kkeen/sigs/

The previous views do not reflect a dev/TU consensus and are entirely my own.

Last edited by keenerd (2011-03-21 20:23:24)

Offline

#19 2011-03-21 11:56:46

punkrockguy318
Member
From: New Jersey
Registered: 2004-02-15
Posts: 711
Website

Re: Arch Package Signing issue getting big on Reddit

Fingel wrote:

although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.

Running Arch on the desktop, I complete agree with you.

You can't forget about the server world, however.  If a potential attacker knew that a server was running Arch, the attack could be implemented with relative ease (besides the man-in-middle attack)

That being said, I'm running arch on my server with no complaints.  With such a small minority of servers running Arch, and with the moderate difficulty of executing the MiM attack, I'm not worried and will continue to happily use Arch on my server.

But package list signing _would_ be nice smile

Last edited by punkrockguy318 (2011-03-21 12:02:36)


If I have the gift of prophecy and can fathom all mysteries and all knowledge, and if I have a faith that can move mountains, but have not love, I am nothing.   1 Corinthians 13:2

Offline

#20 2011-03-21 12:22:32

Awebb
Member
Registered: 2010-05-06
Posts: 6,268

Re: Arch Package Signing issue getting big on Reddit

keenerd wrote:

That will make a bunch of detached .sig files.  Upload those anywhere and tell people.  Mine are at http://pkgbuild.com/~kkeen/sigs/

And if you keep the old signatures for a while it should not be a problem to check those packages even if a server is out of sync. I only see a small obstacle: We'd need a central server to host those fingerprints. Personal public keys, only used for singing packages? At least I see now why it's not happening over night...

Offline

#21 2011-03-21 12:40:09

kgas
Member
From: Qatar
Registered: 2008-11-08
Posts: 718

Re: Arch Package Signing issue getting big on Reddit

I remember  misfit138 quote some where about security. If you know less your are happy. If you know more you will become paranoid.

Offline

#22 2011-03-21 14:43:49

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: Arch Package Signing issue getting big on Reddit

My take on this is:
It is better to have no package signing than a half-arsed implimentation with no trustworthy distribution of the keys. Package signing doesn't help at all if you can (relativly) easily poison the pubkeys/signature list after all. On a lan I could easily do a dns spoof and point http://pkgbuild.com/~kkeen/sigs/ to my list of bogus keys and signatures, possibly making it even easier for me to infect machines with trojans, since "the package is signed, so it must be safe and valid!"(I have seen something similar happen in real life, where fake signed packages for a commercial telecom product was spread widely after a attack on their dns server). What is needed is a safe and trustworthy distribution of the signatures and keys, and there should only be a limited number if keys, that doesn't change too often, to help make key spoofing somewhat less likely/more easily detectable. It would be ideal if the keys could be confirmed by eg a sms service.

Last edited by Mr.Elendig (2011-03-21 14:49:34)


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#23 2011-03-21 16:18:42

keenerd
Package Maintainer (PM)
Registered: 2007-02-22
Posts: 647
Website

Re: Arch Package Signing issue getting big on Reddit

Mr.Elendig - Mostly good points.  Two flaws though.

There is never a trustworthy way to distribute keys, short of me flying across the world and handing you it on a piece of paper.  The best we can do it share the keys in as many places as possible.  (With physical key swaps in the few places it is easily doable.)  I am not claiming my current arrangement is sufficient, but with my key out on a few keyservers it would be fine.

There should not be a limited number of keys.  At the very least you need one per dev.

Awebb - every dev and TU already has a keypair.  Any dev or TU can do this for their packages right now.

Offline

#24 2011-03-21 16:20:37

KimTjik
Member
From: Sweden
Registered: 2007-08-22
Posts: 715

Re: Arch Package Signing issue getting big on Reddit

fukawi2 wrote:

Winging, screaming, ranting and raving at people who owe you NOTHING will solve absolutely nothing.

But for some it's a placebo for a real purpose. Works wonders, but still accomplishes nothing.

Offline

#25 2011-03-21 18:10:56

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Arch Package Signing issue getting big on Reddit

Offline

Board footer

Powered by FluxBB