Ports tree insecure because of IGNOREFILES+IGNORE
philj at openmailbox.org
philj at openmailbox.org
Sun Jun 22 23:16:25 UTC 2014
On 2014-06-22 22:40, Chris Nehren wrote:
> On Sunday, June 22, 2014 22:31:50 philj at openmailbox.org wrote:
>> The IGNOREFILES+IGNORE mechanism allows port maintainers to
>> disable checksum checks. I feel that this mechanism is a stain
>> on an otherwise fantastic ports system. It reduces user
>> confidence in security and makes us all sitting ducks for
>> sophisticated adversaries.
>
> Er. There's nothing stopping a port maintainer from saying
> "Sorry, the distfiles aren't fetchable from the master sites any
> more, I can host a copy" and then host a malicious distfile. Or
> doing any number of simpler things to cause a problem. The
> Project doesn't have the resources to audit every single
> distfile's code. If you're that paranoid, you're welcome to do
> so yourself.
Chris,
You have a valid point, of course, though in this case I was
assuming the port maintainers themselves are trustworthy (just
in case you got the impression from my first paragraph that
I was painting the port maintainers black).
We've seen in the news, at least for Windows, that sophisticated
adversaries with man-in-the-middle capabilities are making use of
cleartext crash-dump logs, hash collisions (so far only MD5), and
weaknesses in the system's update mechanism.
I believe the Project does take these threats very seriously,
even though superhuman auditing ability is an impractical goal.
That's why freebsd-update and portsnap use keys. It's why the
vast majority of distinfo files have SHA256 hashes. It's why
the /usr/sbin/pkg bootstrapper got blacklisted in versions
of FreeBSD that can't verify the signatures.
The good news for those who are worried is that all the ports
I've mentioned have been marked broken, and the IGNOREFILES+
IGNORE mechanism is now pending removal. Here's a copy
of a reply from Baptiste Daroussin (bapt at FreeBSD.org)
for those who aren't subscribed to freebsd-ports:
------------------------------------------------------------
All the said port has been marked as broken, the "feature"
removal is pending for reviews
Thanks for the heads up, I wasn't aware of this "feature"
regards,
Bapt
------------------------------------------------------------
More information about the freebsd-security
mailing list