On Tue, Nov 01, 2016 at 03:59:28AM +0100, Lukas Rose wrote:
On 01 Nov 2016, at 00:35, Leonid Isaev <leonid.isaev@jila.colorado.edu> wrote:
Well, my mentality is that authenticating plain-text data is usually not necessary because a user can always inspect it
You just can't reliably inspect plain text install data, unless you spend an awful lot of time on it. As already pointed out, it's just too easy to miss out small malicious changes. And even if you were able to spot those, most average users won't, and that's what policies are meant for: the average user.
Perhaps you should try it yourself instead of arguing? I have been doing this since 2010 with about 50 packages. PKGBUILDs are not usually long and therefore easy to grasp with a single glance.
Regarding checksums, how did a dev know that upstream sources are authentic?
It's not about the upstream source to be authentic, it's about the upstream source reached your hard drive without further (malicious) modification. That saying, you can't expect a package maintainer to review all the code he uses (indirectly) in his package. If you use another (open source) project, that one could always be malicious. But we'll assume that case not likely (in general).
On the contrary, planting backdoors in OSS projects is a very likely scenario, that has happened multiple times already [1-3]...
It is much more likely that an attacker will try to break things you install (although I still assume that this is not often), than a group of attackers hiding malicious software in an (open source) project.
Where is such confifence coming from?
The former can be easily locked out by checksums, the latter only by extensive code reviews. And even if they were done, you'd still have to trust the one who did the review. Since there's an easy fix for the former, let's use it. Since there is none for the latter, let's keep an eye on this. There's always trust to a certain degree.
I can't really disentangle this pile of... thoughts. Cheers, L. [1] https://en.wikipedia.org/wiki/Vsftpd [2] http://arstechnica.com/business/2012/02/malicious-backdoor-in-open-source-me... [3] http://security.stackexchange.com/questions/23334/example-of-a-backdoor-subm...
Cheers, Lukas
-- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D