Frank Ch. Eigler wrote: > Björn Persson <Bjorn@xxxxxxxxxxxxxxxxxxxx> writes: > > And as you noted yourself, an attacker who can manipulate cached files > > client-side has already taken over the user account anyway. > > Yes and no, and so I must disagree with your "won't improve ... for > anyone". The proposed client-side verification is roughly analogous to > running "rpm -V" on a machine. Yes, if an attacker has control at that > moment, it's not reliable. Nevertheless, to detect residue of a > -previous attack- or accidental data corruption, it can be worthwhile. I fail to imagine how you believe attackers operate to make the distinction between an attacker who has control and a previous attack relevant. It can detect accidental data corruption, yes. If you want to checksum the cache to detect accidental data corruption, that's fine by me, but that's better done locally, so that the checksums can be verified without contacting any server. > > Given that it serves debuginfo only for Fedora packages, and does not > > forward requests to any other debuginfo servers, using this server > > seems equivalent security-wise to downloading unsigned packages from > > Koji. > > Not exactly. All the data is -from- signed packages. Okay, so it's equivalent to downloading packages that were once signed, but had the signatures removed before the packages were offered for downloading – which is in turn equivalent to downloading unsigned packages. > > To make the debuginfo protocol as secure as signed debuginfo packages, > > the client should verify the files against a hash computed and signed > > on the signing server. > > If the threat model includes a -local active attacker-, then this would > not help either. An attacker could interfere with the local keystore > and/or trust chains and/or signature verification software. A local active attacker who can already read, write and execute whatever they want has nothing more to gain from tampering with cached debuginfo. > > By the way, the change page still doesn't say enough about how network > > problems will affect the user experience. [...] > > I'm not sure why you say "still" when this question was not posed here > before. Because I posed the question in my first message in this thread, on the 11th. Björn Persson
Attachment:
pgpbfDR0WsG8a.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
