[arch-general] Package signing (was: Arch Linux security is still poor)

Wed Mar 17 01:06:44 CET 2010

I had already this email draft in my head, but Ananda 'Arch Linux 
security is still poor' thread, on which the point was also brought up, 
moved me to really write it.

First off, there's an implicit level of trust on the package software, 
no matter which OS you use.
When using Windows, you trust in Microsoft, when using Mac OS, you trust 
in Apple, when using a Linux distro, you trust the packagers and upstream.
Either you do that or trust just whatever came installed and not install 
anything ever (thus not patching to new vulnerabilities).

The problem with Arch current packaging system is not that you must 
trust people able to write in core not to add a rm -rf / (to name the 
classical 'attack') nor that you didn't install arch with an infected 
media. The problem is that every time you do pacman -Syu, you must 
blindly trust that your dns, network, and mirror are reliable, too.
The packages are verified with a md5 from the server list, but should 
you update from a compromised mirror (or impersonated, eg. arp 
poisoning, dns spoofing, bofh proxy operator...) you have lost. A pacman 
-Syu from an open wifi might be enough. A later update may 'clean' it, 
so you may not even notice that you were once compromised.

There are several ways to close the gap:
*Always download the package list from ftp.archlinux.org
It's the easier solution, but it only protects against the mirror 
operator. Moreover, it increases load on that server and makes it a 
single point of failure.

*Package lists are signed from a trusted master key. There may be up to 
a key per repo.
Easy to provide, allows backward compatibility.

*Packages are automatically signed by ftp.archlinux.org before 
distributing them.
Removes the dependancy over the package list. Packages can be shared 
securely (eg. getting a downgrade for an untrusted user).

*Each developer signs its own packages prior to uploading. Each 
repository key signs the keys of the developers with write access. Users 
can blacklist or trust independent developers.

Needless to say, the last solution is the one I like most. However, 
being more complete, it also means more work. :)

The package signing could be a simple text file with filenames and 
hashes (preferably something more secure than md5) signed with gpg, or 
could be expanded if more fields are needed.

Do you think this is a good idea? Which solution do you prefer?
And most important, what would be needed to reach there?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 