Arch Package Signing issue getting big on Reddit

Fingel · 2011-03-19 08:03:48

Hey all,
This post has been getting a lot of attentions since it was written 2 days ago. Worth a read.
0wning Arch: Why package signing is important.
Definitely worth a read, although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.

# edit: descriptive title added

Last edited by jasonwryan (2011-03-21 04:10:39)

litemotiv · 2011-03-19 08:57:07

Fingel wrote:

Definitely worth a read, although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.

Yes, that seems to be the general consensus at this point. I would also be more anxious about someone stealing my passwords on an ARP-poisoned network than getting me to install manipulated Arch packages.

wonder · 2011-03-19 09:15:55

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link

p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

Last edited by wonder (2011-03-19 09:18:05)

SanskritFritz · 2011-03-19 09:17:50

http://www.reddit.com/search?q=arch

karol · 2011-03-19 10:13:03

Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.

I take two sugars and some milk. Thanks :-)

litemotiv · 2011-03-19 10:17:48

karol wrote:

Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.
I take two sugars and some milk. Thanks :-)

It's probably the same as this: https://bbs.archlinux.org/viewtopic.php?id=115137

karol · 2011-03-19 10:25:18

litemotiv wrote:

karol wrote:
Can somebody diff this blogpost with the ones we've already seen and post the result? I'm not in the mood for a deja vu.
I take two sugars and some milk. Thanks :-)
It's probably the same as this: https://bbs.archlinux.org/viewtopic.php?id=115137

OK, I diffed them myself and I'm positive they're the same.

Now I'm going to make myself some coffee and have a good day anyway.

Awebb · 2011-03-19 10:26:47

If all the minutes spent in writing board posts and blog entries about signed packages were spent in writing and submitting patches (and concepts for mirrors etc) we'd already have signed packages. I don't know how many patches are sent in. say, every month, but I'd bet we have three times the threads and rants.

bangkok_manouel · 2011-03-19 11:57:11

wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link
p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

so nice and polite...

Fingel · 2011-03-19 15:05:20

wonder wrote:

i don't really want to read your crappy blog. You said about reddit, post the damn reddit link
p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one

It's not my blog. Why would I disagree with my own blog? Since you asked, here's the "damn Reddit link"
Don't be such a typical dev wonder

flamelab · 2011-03-19 15:49:44

bangkok_manouel wrote:

wonder wrote:
i don't really want to read your crappy blog. You said about reddit, post the damn reddit link
p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one
so nice and polite...

I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

Last edited by flamelab (2011-03-19 15:50:58)

bangkok_manouel · 2011-03-20 01:55:49

flamelab wrote:

bangkok_manouel wrote:
wonder wrote:
i don't really want to read your crappy blog. You said about reddit, post the damn reddit link
p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one
so nice and polite...
I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

ok my bad, makes more sense in context but that was a bit shocking at first. thanks for taking the time to explain.

ssri · 2011-03-21 03:35:04

Really, this stuff should be taken up in pacman-dev if anyone wants this accomplished. Maybe there should be an open thread in TGN about this if people want to get it off their chests. **checking** Whoops, there was... before it got locked..

//In before this one goes by the way of the dodo...

ngoonee · 2011-03-21 03:44:42

ssri wrote:

Really, this stuff should be taken up in pacman-dev if anyone wants this accomplished. Maybe there should be an open thread in TGN about this if people want to get it off their chests. **checking** Whoops, there was... before it got locked..
//In before this one goes by the way of the dodo...

This seems a good place for a mod to interject .

Yes there was such a thread, and it has since been removed. This wasn't because of the subject matter, but because of how it was being dealt with. Stating opinions on security etc. is fine, but the discussion on the removed threads had turned to ranting about how "pacman's devs are irresponsible" and other similar opinions (including that the lack of signed package was part of some sort of conspiracy against the concept).

Feel free to discuss the topic, but remember that the Arch community is in the end a community, not a place to rant. Serious discussion (including all technical implementation details) belong on the [pacman-dev] list, as with any other topic of this nature.

ANOKNUSA · 2011-03-21 06:24:43

flamelab wrote:

bangkok_manouel wrote:
wonder wrote:
i don't really want to read your crappy blog. You said about reddit, post the damn reddit link
p.s that blog is kinda useless, new one, only one post. doesn't worth trying reading. That ideas are not original, almost copy/pasted from an old one
so nice and polite...
I think wonder is being "impolite", because that particular blog post is an exact copy of a continuous rant of a (banned now) member here in the forums about package signing. So he (that member) is doing the same thing outside the forums, in a blog. It would be much better from him to have helped, instead of ranting.

He's been spamming Linux-related forums for the last several weeks about this issue, just generally rabble-rousing. From what I've seen, the guy may have done the community a favor, since numerous respondents have basically said "I was gonna try Arch 'cuz a friend of a friend said it was cool, but wasn't aware of this issue or how Arch worked, and now I'm scared and don't think I'll bother." Basically diverting the intellectually lazy away from Arch. He claims to have come up with an easily-implemented solution; however, he also claims the devs have basically blown his brilliant idea off. And he can't be bothered to patch and repackage pacman and sign some packages himself (as an open and observable test-case) despite supposedly having the resources and skills necessary to do so.

fukawi2 · 2011-03-21 08:12:29

ANOKNUSA wrote:

...Basically diverting the intellectually lazy away from Arch.

Maybe he's not the total-tool (tm) I thought he was

Seriously, I wish this guy would just drop this bone he keeps chewing on. This is the point of free software; you are free to use it if it suits your needs. If it doesn't, then you have a choice:
1) Fix it yourself.
2) Use something else.
Winging, screaming, ranting and raving at people who owe you NOTHING will solve absolutely nothing.

ngoonee · 2011-03-21 08:50:09

I'd like to remind all forum members that forum rules on appropriate behaviour apply just as much whether the 'target' of a post is Arch-related or opposed to Arch . Not targetted at any particular posting above this one, just a general notification.

The user in question here, while raising various accusations and quite a few complaints, has also written a tool which does chip away at the problem (paccheck - http://aur.archlinux.org/packages.php?ID=46763 ), so at the very least he's not just purely out to create havoc and destruction.

keenerd · 2011-03-21 10:42:38

The following views do not reflect a dev/TU consensus and are entirely my own.

If you are a dev/TU who is curious about signing there nothing stopping you from signing your packages. I signed all the packages I've built (all three, meaning 0.06% repository coverage). Sign your packages, post the sigs (and your pubkey) somewhere.

A signature is just a really big number. "Signing" can refer to either simply the existence a verifiable number, or to having an entire infrastructure for automatically generating/sharing/confirming the really big numbers. We can do signing with just the first. You don't have to wait for an automagic tool, you can do it yourself by hand. Odd that I have to explain that to Archers, but hey :-)

It is simple. Get your packages onto your computer. Preferably by building them locally. Then run

find ./ -name '*.pkg.*' | xargs -n 1 gpg -b
scp *.sig foosite:/sigpath/

That will make a bunch of detached .sig files. Upload those anywhere and tell people. Mine are at http://pkgbuild.com/~kkeen/sigs/

The previous views do not reflect a dev/TU consensus and are entirely my own.

Last edited by keenerd (2011-03-21 20:23:24)

punkrockguy318 · 2011-03-21 11:56:46

Fingel wrote:

although I don't see any real risk at the moment. I mean how likely is is that someone is going to arp spoof you at a coffee shop to pull this off? The chances of someone actually taking advantage of this in the wild seems pretty slim to me.

Running Arch on the desktop, I complete agree with you.

You can't forget about the server world, however. If a potential attacker knew that a server was running Arch, the attack could be implemented with relative ease (besides the man-in-middle attack)

That being said, I'm running arch on my server with no complaints. With such a small minority of servers running Arch, and with the moderate difficulty of executing the MiM attack, I'm not worried and will continue to happily use Arch on my server.

But package list signing _would_ be nice

Last edited by punkrockguy318 (2011-03-21 12:02:36)

Awebb · 2011-03-21 12:22:32

keenerd wrote:

That will make a bunch of detached .sig files. Upload those anywhere and tell people. Mine are at http://pkgbuild.com/~kkeen/sigs/

And if you keep the old signatures for a while it should not be a problem to check those packages even if a server is out of sync. I only see a small obstacle: We'd need a central server to host those fingerprints. Personal public keys, only used for singing packages? At least I see now why it's not happening over night...

kgas · 2011-03-21 12:40:09

I remember misfit138 quote some where about security. If you know less your are happy. If you know more you will become paranoid.

Mr.Elendig · 2011-03-21 14:43:49

My take on this is:
It is better to have no package signing than a half-arsed implimentation with no trustworthy distribution of the keys. Package signing doesn't help at all if you can (relativly) easily poison the pubkeys/signature list after all. On a lan I could easily do a dns spoof and point http://pkgbuild.com/~kkeen/sigs/ to my list of bogus keys and signatures, possibly making it even easier for me to infect machines with trojans, since "the package is signed, so it must be safe and valid!"(I have seen something similar happen in real life, where fake signed packages for a commercial telecom product was spread widely after a attack on their dns server). What is needed is a safe and trustworthy distribution of the signatures and keys, and there should only be a limited number if keys, that doesn't change too often, to help make key spoofing somewhat less likely/more easily detectable. It would be ideal if the keys could be confirmed by eg a sms service.

Last edited by Mr.Elendig (2011-03-21 14:49:34)

keenerd · 2011-03-21 16:18:42

Mr.Elendig - Mostly good points. Two flaws though.

There is never a trustworthy way to distribute keys, short of me flying across the world and handing you it on a piece of paper. The best we can do it share the keys in as many places as possible. (With physical key swaps in the few places it is easily doable.) I am not claiming my current arrangement is sufficient, but with my key out on a few keyservers it would be fine.

There should not be a limited number of keys. At the very least you need one per dev.

Awebb - every dev and TU already has a keypair. Any dev or TU can do this for their packages right now.

KimTjik · 2011-03-21 16:20:37

fukawi2 wrote:

Winging, screaming, ranting and raving at people who owe you NOTHING will solve absolutely nothing.

But for some it's a placebo for a real purpose. Works wonders, but still accomplishes nothing.

karol · 2011-03-21 18:10:56

http://www.h-online.com/open/news/item/ … 11874.html

Arch Linux

#1 2011-03-19 08:03:48

Arch Package Signing issue getting big on Reddit

#2 2011-03-19 08:57:07

Re: Arch Package Signing issue getting big on Reddit

#3 2011-03-19 09:15:55

Re: Arch Package Signing issue getting big on Reddit

#4 2011-03-19 09:17:50

Re: Arch Package Signing issue getting big on Reddit

#5 2011-03-19 10:13:03

Re: Arch Package Signing issue getting big on Reddit

#6 2011-03-19 10:17:48

Re: Arch Package Signing issue getting big on Reddit

#7 2011-03-19 10:25:18

Re: Arch Package Signing issue getting big on Reddit

#8 2011-03-19 10:26:47

Re: Arch Package Signing issue getting big on Reddit

#9 2011-03-19 11:57:11

Re: Arch Package Signing issue getting big on Reddit

#10 2011-03-19 15:05:20

Re: Arch Package Signing issue getting big on Reddit

#11 2011-03-19 15:49:44

Re: Arch Package Signing issue getting big on Reddit

#12 2011-03-20 01:55:49

Re: Arch Package Signing issue getting big on Reddit

#13 2011-03-21 03:35:04

Re: Arch Package Signing issue getting big on Reddit

#14 2011-03-21 03:44:42

Re: Arch Package Signing issue getting big on Reddit

#15 2011-03-21 06:24:43

Re: Arch Package Signing issue getting big on Reddit

#16 2011-03-21 08:12:29

Re: Arch Package Signing issue getting big on Reddit

#17 2011-03-21 08:50:09

Re: Arch Package Signing issue getting big on Reddit

#18 2011-03-21 10:42:38

Re: Arch Package Signing issue getting big on Reddit

#19 2011-03-21 11:56:46

Re: Arch Package Signing issue getting big on Reddit

#20 2011-03-21 12:22:32

Re: Arch Package Signing issue getting big on Reddit

#21 2011-03-21 12:40:09

Re: Arch Package Signing issue getting big on Reddit

#22 2011-03-21 14:43:49

Re: Arch Package Signing issue getting big on Reddit

#23 2011-03-21 16:18:42

Re: Arch Package Signing issue getting big on Reddit

#24 2011-03-21 16:20:37

Re: Arch Package Signing issue getting big on Reddit

#25 2011-03-21 18:10:56

Re: Arch Package Signing issue getting big on Reddit

Board footer