-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Robert Menschel writes: > Hello Gerd, > > Wednesday, February 9, 2005, 4:51:39 PM, you wrote: > > >> Most people would find the SHA1 file sufficient, the more paranoid among us > >> would do GPG. > > GvE> sorry to intercept, but aren't the updated rule files that you > GvE> plan to publish code that is instantly executed as fetched? ... > > 1) IMO the rules files aren't "executed", but are regex filters (or > equivalent) that check for spam. A compromised system might be tweaked > to allow more spam through, but should not be zombied. A malicious plugin (for example) will indeed be executed. Malicious lines in a *system-wide* config file could cause trouble by scribbling over files; e.g. "bayes_path /etc/passwd" or similar... > GvE> We've seen breakins at some well respected open source sites > GvE> within the last months (e.g. debian). But the damage was minor > GvE> because only few people downloaded the malicous code before it > GvE> was found and removed. This will be different with an automatic > GvE> update system... > > My point is that if the rules files to be transmitted are > automatically compiled from subsidiary rules files, and the GPG > signature is applied by an automated system, without a human checking > that each and every rule is indeed valid and correct, then there's > nothing to stop a breakin from slipping their dirt into one of those > subsidiary files, and the automated system will happily sign the > corrupted file. > > If a file goes from system A to B to C to D, the system at D can check > A's signature to verify the file wasn't modified by B or C, but if A's > signature is automatically applied on system A, there's NO assurance > to the quality of the signed file. > > Am I wrong about this? Yep! ;) There's levels of trust. For example, a third-party mirror may be more easily compromised than our locked-down rules-update server. And let's say we have 30 mirrors (as the ASF do) -- or, worse, Coral, which adds even more, and has to be considered a potentially dangerous traffic medium -- that would mean 31 possible avenues of attack. Signing at the "bottleneck" -- on a locked-down updates server -- which then dists out to machines on the public internet, and ensuring downloaders always verify sigs, is a lot safer. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCDB96MJF5cimLx9ARAtlNAJ9u4LB+Rh1PWAFspl1039VT7nd+ZgCeNcSq WcHy9jePbI80qjpu8IK0i+s= =BOLJ -----END PGP SIGNATURE-----
