Hi, I am wondering why posts by Vladimir Diaz and Justin Cappos are not visible on the gentoo-portage-dev mailing list archive.
Lost in spam filter? Have you received them? Should the listmaster be contacted? Cheers, Patrick Vladimir Diaz: > Hi, > > I am a developer in the Secure Systems Lab at NYU. Our lab has > collaborated with popular software update systems in the open-source > community, including APT, yum, and YaST, to address security problems. > More recently, we have been working on a flexible security framework > co-developed with the Tor project that can be easily added to software > updaters to transparently solve many of the known security flaws we have > uncovered in software updaters. We would like to work with The Portage > Development Project to better secure the Portage distribution system. > > TUF > <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems> > (The Update Framework) is a library that can be added to an existing > software update system and is designed to update files in a more secure > manner. Many software updaters verify software updates with cryptographic > signatures and hash functions, but they typically fail to protect against > malicious attacks that target the metadata and update files presented to > clients. A rollback attack is one such example, where an attacker tricks a > client into installing older files than those the client has already seen > (these older files may be vulnerable versions that have since been fixed). > A full list of attacks and weaknesses the framework is designed to address > is provided here > <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security> > . > > Our website <http://theupdateframework.com/index.html> includes more > information about TUF, including: papers > <https://github.com/theupdateframework/tuf/tree/develop/docs/papers> and a > specification > <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>. > If you want to see how an existing project integrates TUF, there is a > standards track proposal > <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract> > to the Python community that you can review. A more rigorous proposal that > requires more administrative work on the repository, but provides more > security protections, is also available > <https://www.python.org/dev/peps/pep-0480/>. > > Thanks, > Vlad > > P.S. > There is an informational Gentoo Linux Enhancement Proposal that references > the security issues that our project addresses, but there hasn't been much > recent activity. > > > -- > [email protected] > PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935 > -- >
