On Sun, Jan 02, 2011 at 02:52:29AM +0200, Marian Marinov wrote: > On Sunday 02 January 2011 02:20:13 John Morrissey wrote: > > On Sat, Jan 01, 2011 at 06:46:26PM -0500, John Morrissey wrote: > > > Starting on about 12 January, we will be automatically verifying the > > > PGP and MD5 signatures for current source tarballs (those in > > > distrib/source) on all mirrors. Based on the count and size of current > > > releases, this will cause an additional 350-400 gbytes of monthly > > > traffic for each mirror. > > > > My calculations were way off somehow; this figure should be about > > *5 to 6* gbytes/month per mirror. > > I'm sorry but, isn't it better to have every mirror calc its MD5 sums > every day and the main mirror keepd the TRUE signatures up to date and > secure?
We considered this, but if we're trying to detect whether a mirror has been compromised, what's to keep the attacker from modifying the cron job that does this signature verification? Also, we'd need to have all 30+ mirrors agree to run the extra code to do this. Some may not have (or want to have) the necessary dependencies installed, or may have wildly different versions available. And we would need to coordinate updates to this (albeit simple) job when the inevitable changes or bug fixes occur. I hear your point, but all in all, the best way to achieve this goal is to have a separate party from the mirror host perform signature verification. > I'm not a mirror maintainer, but to me, it seams useless to download and > verify every mirror remotely. I belive that every mirror maintainer will > agree to put some very basic cron job which will download the current > signatures and verify all packages from those signature. And it will quite > faster. Some software ecosystems have built-in signature verification for software downloads. Debian's APT comes to mind; it verifies a PGP chain of trust to ensure downloaded files are unmodified. ProFTPD source code downloads aren't part of a larger ecosystem like that, so we have no way to guarantee that signature verification happens when a download occurs. Even though it wasn't a ProFTPD mirror that was compromised, we evaluated our distribution infrastructure and decided that we should be providing this assurance since ProFTPD mirrors are official download locations. john -- John Morrissey _o /\ ---- __o j...@proftpd.org _-< \_ / \ ---- < \, www.proftpd.org/ __(_)/_(_)________/ \_______(_) /_(_)__ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ ProFTPD Mirror Sites List <proftpd-mirr...@proftpd.org> https://lists.sourceforge.net/lists/listinfo/proftp-mirrors