On Thu, 30 Oct 2003, Simon Kitching wrote: > On Thu, 2003-10-30 at 14:05, Robert G. Brown wrote: > > > Seth is actually an alien creature originally from a small planet > > orbiting Arcturus. If one surprises him unawares, he is often muttering > > something about a place named "R'Lyeh" and some dude named "Ktooloo". > > He is disguised as an Albanian terrorist, disguised as a systems > > programmer, seeking to take control of all the computers on the planet > > that matter (all of the ones running linux). > > You forgot to mention that he paints really scary pictures in his > basement studio :-) Yeah, on his easel right next to the old well with the squid-thing design on it. I think you've got it. > > Maybe. I personally wouldn't trust gpg checking all that far as this > > also involves one in loops of trust and who you gonna trust to tell you > > who NOT to trust (and with what tools). > > I don't understand. By adding the RedHat public key to my keyring, and > setting gpgcheck=1 in my yum.conf file for each source of rpms, **only** > packages issued by RedHat's team will ever be installed. Someone can > crack redhat, fedora, or any other rpm mirror, and I don't care. Only if > someone steals RedHat's private key do I need to worry. > > No matter how many repositories I point my yum.conf at, the signature on > every RPM is checked before installation. And due to the magic of public > key cryptography, no-one can fake a RedHat signature. So *my* servers > are very safe. Sure, but in an insanely paranoid universe you still have to get the RH public key from a reliable place, which requires YAKS (yet another keyservice) to sign off on it, which in turn is likely an internet address, which makes it vulnerable to spoofing and man in the middle and more. And then there is trusting Seth's servers vs trusting Red Hat's. I know for a fact that in addition to staring through glowing screens into strange worlds of unspeakable Evil, Seth is a raving paranoid with schizoid tendencies. Why just today he threatened to push a rack full of equipment over on somebody on this very list. Nobody is crackproof, but Seth is, um, "crack resistant". We can only hope that RH does as well at protecting their private keys. > Ok, I can't distribute rpms from non-redhat builders to my servers; for > that I need to either install the public key of the builder, or figure > out how to "resign" the rpms with my key (and add my public key to the > keyring on each server). Any hints on how to do resigning are welcome... > > The problem with the current yum installation is that users with less > than my level of paranoia are open to cracking. And Magnus Hedemark says > in another reply on this thread that the duke servers are under heavy > load, so more mirrors may be added to the default config file. In that > case, "normal" users will then be trusting the security not only of the > Duke servers, but all other servers. One mistake, or one evil junior > sysadmin, and Microsoft will have a ball with the resulting publicity. > > In fact, the current approach really reminds me of Microsoft's approach > to security: convenience first, safety later. I would prefer to see > systems which are secure by default, with users *deliberately* having to > weaken security if they want more convenience. > > This is nothing to do with yum as a tool; yum is cool. It is all to do > with what yum-xxxx.rpm does in terms of reconfiguring the local machine > when it is installed. I agree with all of the above, and even point it out already in the HOWTO, or in previous list discussions, or both. And I'm just being pedantic -- in actuality gpgcheck is probably "enough" security, at least along the RH trail. But then there are the non-RH builders, freshrpms, homebrew rpms, rpms installed from src rpms. You can likely avoid the horror of a trojanned glibc with signatures, but second-layer stuff (and we, at least, have a fair number of second layer packages we add on top of standard RH) has independent and sometimes less controllable risks. However, I'm really skeptical about systems that are "secure by default". That sounds a lot like topdown control, and that IS Microsoft's approach to security, except that they do a lousy job of it. Linux is much more about distributed control, collective security, robustness and rapid recovery at the expense of some phase space where damage can occur. Security is thus a topic for a whole, focussed discussion involving e.g. keyservers, trust, money, and (I hope) recovery time and damage limitation as much as anything else. In the meantime, yum can be made "reasonably" secure by a skilled administrator such as yourself, but will still "work" for Duke undergraduates fresh from WinXX who haven't any clue what a gpg signature is or how to check one or set yum and their systems up to check one. I really continue to think of the yum suite as MOSTLY an administrator's toolset; primarily useful by joe user to the extent that their local admin supports it, and about as secure as that admin cares to make it. It will be interesting to see if it survives in the wild as a client-only tool with public repositories. There is where the trust issue REALLY lurks, and gpgchecking may be just the first layer in a robust set of defenses... > If all servers running the yum client app insist on rpms being signed by > trusted parties whose public keys are installed into their local > keyring, then there is no need for any of this; the rpms have a > guaranteed trusted source. No trojans allowed. "Guaranteed trusted" sounds like one of those famous oxymorons...;-) rgb > > > NB: I am running yum-1.0.3 on RH8. My apologies if some/all of this is > not relevant to the latest versions of yum. -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx
