Saw this post and thought I'd forward it along here. https://news.ycombinator.com/item?id=22208557
""" It's definitely an issue that the sha256 checksum check was broken. But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum? Are there GPG signatures of the package checksums signed with a key that ships with the release? Are package repos downloaded over HTTPS? Is there a CA bundle in the release with which repo x.509 certs are validated? """ """ I installed newest version OpenWRT on a popular brand, recently manufactured wireless router last week. The OpenWRT firmware couldn't access https sites without installing multiple packages first. Then they had me install all the root certs over an unencrypted connection. The opkg repos and install files are all downloaded over http. With full seriousness, I really hope nobody expects operational security using these routers. """ There's likely some misunderstanding here. Is there a wiki page or similar describing how package repo catalogs, packages, and firmware image updates are built, checksummed, signed, distributed, and signed-checksum-checked? - https://en.wikipedia.org/wiki/The_Update_Framework_(TUF) is a great read. - https://theupdateframework.io/ - https://github.com/theupdateframework/specification/blob/master/tuf-spec.md re: "Thandy" - "PEP 458 -- Secure PyPI downloads with package signing" https://www.python.org/dev/peps/pep-0480/ - "PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model" https://www.python.org/dev/peps/pep-0458/ Side note: something like these would be great to have; IDK which repos are appropriate for possible new issues to be owned by someone who knows what is going on: ENH: CDN for package repos and latest version file ENH,SEC: firmware update check script ENH,SEC: send an email when the firmware is out of date ENH,SEC: luci: display firmware update check result and link to latest firmware ENH,SEC: add package repo (and firmware?) signing key to keyring ENH,SEC: include ca-certificates and/or openwrt-certificates in builds? Thought I'd forward this along, It seemed deserving of review for something with time to review _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel