On Friday, April 14, 2017 9:06:53 AM EDT Paul Moore wrote: > On Thu, Apr 13, 2017 at 6:25 PM, Steve Grubb <[email protected]> wrote: > > On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote: > >> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts > >> > >> <[email protected]> wrote: > >> > Isn't the hash on the https people's page? > > > > No, its on the mail list. The mail list is moderated. Only a handful of > > people could post a spoofed message. > > > >> > Which last time I looked wasnt throwing cert errors in chrome. > >> > >> Unless Steve has exclusive administrative access to people.redhat.com > >> (I think it is safe to say he does not, but correct me if I'm wrong > >> Steve <b>) > > > > Nope. > > > >> you can't trust an unsigned checksum regardless of how > >> strong the https cert/crypto as the web admin could still tamper with > >> the data. > > > > They would have to go tamper with the mail list where all the hashes are > > publicly disclosed, too. There are multiple mail list archives. Then they > > would have to post the tampered tarball to the Fedora Build System which > > also publicly discloses hashs. And the Fedora Build System requires > > several identity checks to check it in and it maintains a log. > > No. Since there is no authentication to post to this public email > list all they would have to do is spoof bogus a release announcement > email from you; yes there are some measures in place to combat things > like this, but it isn't that hard. Granted, you might notice this > attack relatively quickly, but if the attack was timed to happen while > you were away from your email for an extended period of time (travel, > etc.) the window could be non-trivial, and even then, how many > installs could have already been put at risk? > > Steve, it's pretty apparent at this point that you don't want to, and > aren't likely to, provide any form of signed checksum for the audit > userspace release. That's your prerogative, and to some like William, > they may be content with that level of risk. However, please don't > pretend that signing releases doesn't provide an additional layer of > protection.
As I said in a subsequent email, "we'll go with hashes now and work up to signing another day." But I really am serious that the biggest threat to the project is not some wild eyed MITM attack targeting a whole distribution. Its me. I doubt few people truly understand the impact of the bug that Laurent reported and why it moved me to change plans and do a quick release. (It was not because ausearch was segfaulting.) Again, I call for more testing and bug reports. I know they are in the code. I find a couple every day or two. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
