Reflections on Trusting Trust

aristeu suporte at wahtec.com.br
Wed Nov 30 15:02:16 GMT 2005


>> Yes and no.  Fixing other potential security risks is good, but not if
>> it leads users to think that the packages are more trustworthy than they
>> really are.  In particular, if we started distributing signed packages,
 >> I suspect that most people would assume that the signatures guaranteed
>> that the packages were good, rather than simply ensuring that the
>> packages
>> hadn't been modified with after they were built.
>>
>> If we're going to sign anything, we need to ensure not just that we're
>> signing what we think we're signing, but also that we're signing what the
>> *end users* think that we're signing.
>
>Seems to me that ignorance and a false sense of security is bad
>wherever it appears, so all we can do is try our best to educate users
>about what they're getting.

I think that with a clear policy the ports and packages could be singned.
Something like a banner during installation of a port "This key ensures that
this port was made/arranged by an official freebsd port mantainer. The
freebsd security team does not take responsability for its contents since it
was not scrutinized by them. Good luck!", or, for packages, a similar
message saying the package was built on freebsd infrastructure, but the
freebsd team don`t take responsability fot its contents, bla, bla...

I don't know what kind of authentication with port mantainers do you have, 
but I
think between you guys and the port mantainers must exist some good scheme.
This part is OK. now is just the freebsd server and end users part. Sign it
with a "ports system" secret key, and a public key pre-installed on clients. 
The secret key well guarded on ports system core... Simple as that, it can 
mitigate some problems.

I realy dont think signing things ensure that a port or package is secure,
but but makes a hell of a better job proving that it came from where it
saids it came than loose hashes. Other than that,
"security by omission", if exists this, won't solve anything.

I know the freebsd-update and portsnap (potsnap I just discovered in this 
thread)
solutions are good. I'm wishing this to be the freebsd standard.

I don't wanna push things, and I know things don't work this way. I just
wanned to show an end user opinion, on the reflections topic... :)
that said, I'm gone....

Thanks and best regards,
--aristeu



More information about the freebsd-security mailing list