[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files

Jonathan Rippy jonathan.rippy at interpath.net
Thu Aug 1 14:12:20 EDT 2002 

My Goal:

     Reduce the risk of packages appearing in the wild that
     have been compromised and go undetected.

My Proposal:

     In addition to computing an MD5 checksum for the package,
     additionally digitally sign the package.

Discussion:

I left out the web of trust discussion but that would of course
be needed as well.  Key swapping conventions, initial system
installations, etc.. could help establish this web of trust.

But....
Let's assume everyone rushed out this second and started
digitally signing their packages.  When I go to download/install
a package;

   If they are in my web of trust ...

         Sweet, I can now (with less risk, though not
         totally eliminated) use this package.  I cannot be
         guaranteed that their key wasn't compromised.

   else if they are not in my web of trust ...

         then If I go ahead and use it anyway ...

             1.)  I am in the same position as if they never
                  signed it in the first place.  Ie, blindly
                  trusting this package.

             2.)  However, if this key enters my web of trust
                  in the future, then I've increased my
                  comfort level with all the packages this
                  identity has signed thus far and I've installed
                  on my system.

Summary:

    It seems to me that in the worst case it neithers help nor hurts,
    but merely adds an extra layer of complexity.  However, in the
    best case it could decrease the risk of compromised packages
    being propogated.  Also, if a key is compromised, you can revoke
    the key.  It's all about limiting risks in my opinion.


Mike Johnson wrote:

> Jonathan Rippy [jonathan.rippy at interpath.net] wrote:
>  
> 
>>Personally, I think the developers should GPG sign the
>>valid distributions.  Then, the tool could verify the signatures.
>>
> 
> But what does this solve?  You would have to trust the person that
> signed it, or someone in your web of trust would have to trust the
> signer.  If I just start signing files, how do you know that you should
> trust me?  If I create a new key, upload it to the keyservers, and start
> signing things, are you going to trust what I've signed?  Why?
>  
> 
>>Does any distro do this?  (I'd assume some do ... not sure off
>>the top of my head.)
>>
> 
> Red Hat signs each of their RPMs.  Dunno about others.
> 
> Mike
> 


-- 
jonathan rippy

More information about the TriLUG mailing list