Reflections on Trusting Trust
Peter Jeremy
PeterJeremy at optushome.com.au
Tue Nov 29 18:33:57 GMT 2005
On Tue, 2005-Nov-29 13:36:31 -0200, aristeu wrote:
>I think the only problem that exists is the package/ports deployment. I
>belive we can't trust only on hashes for this (tar already does a fine job
>on integrity...), because it can be easily circunvented.
Can you explain what you mean here. Virtually all distfiles needed to
build a port have MD5 and maybe SHA-256 hashes embedded in the ports
tree. The only way to easily circumvent these is to subvert the ports
tree - which gets back to the issue of trusting the FreeBSD distribution.
I agree that there's currently no integrity checking on packages.
(And, BTW, tar has no integrity checks).
>One thing that could do a good job is default install gnupg and pre-install
>some important pgp public keys on ISOs releases, on root's profile...
...
>My mom used to say "always prefer the pre-installed pub keys...".
I don't believe this solves anything. The biggest problem is ensuring
that you can trust your initial keyring or root certificate
collection. Putting "trusted" keys on an ISO only gives you circular
trust - you trust that the ISO image came from the people who made it.
There's no easy way to verify that it came from the FreeBSD Project.
The FreeBSD project also discourages the inclusion of GPL code in the
base system, making gnupg unattractive as a base system candidate.
Finally, PGP does not have the concept of "important" keys - this is
closer to the X.509 model. The base system already includes tools for
handling X.509 signatures (openssl) and there is already a collection
of X.509 keys embedded in the ports system (security/ca-roots).
--
Peter Jeremy
More information about the freebsd-security
mailing list