On 05/19/10 10:56 AM, Nicolas Williams wrote:
On Wed, May 19, 2010 at 04:33:52PM +0100, Darren J Moffat wrote:
...
Maybe nothing if we assume the package contents themselves are
signed - and if they aren't I don't see any benefit in doing
anything additional in the on-disk repo format.  It may well be that
there is nothing worth defending against that isn't already
addressed by the signed package contents.

Attacking the indexes represents mostly a DoS, unless the manifest
signatures do not cover the pkgs' names, in which case there'd be a
redirection attack as well.  Perhaps there'd also be a publisher
substitution attack as well, but I think that can be defended against on
the client side.  Protecting against this sort of DoS attack seems not
worth the effort, and protecting against the redirection attack can be
done by ensuring that the manifest signatures cover the pkg names.

Package manifests include the full FMRI of the package, including publisher prefix (name), like this:

set name=pkg.fmri value=pkg://opensolaris.org/package/[email protected],5.11-0.139:20100511T144547Z

Because of that, manifest signatures include the complete identity of the package. So with that in mind, I believe that a publisher substitution attack as well as a package substitution attack is covered.

However, you're right that now's the time to get this right,
particularly for the over-NFS scenario.

One thing to keep in mind is that signatures on both package manifests and package archives must be optional. That is, signing them can't be required, and although by default the client might require them to be signed, the user must be able to override that since local law or export controls may prevent them from being used.

Cheers,
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

Reply via email to