On Sat, Mar 10, 2018 at 07:19:11PM +0100, Marek Marczykowski-Górecki wrote: > Is there any sensible way of installing OTS client securely? There is a > chain of dependencies which are not packaged for neither Debian or > Fedora (python-opentimestamps, bitcoinlib, pysha3, ...). And since pip > rely only on https (so, integrity of its infrastructure), the only > alternative is downloading sources manually, verifying its signature > (after finding and verifying what key should really be used for that > particular package), then installing it in /usr/local or such.
Yup, I agree that the dependencies are still a problem. That said, some of them I could avoid, e.g. pysha3 is only needed if you want to verify an ethereum-using timestamp, which is a niche case; I could make that optional. Even python-bitcoinlib could be made optional I think. There also does exist a python-bitcoinlib package for Debian buster (testing), although AFAIK not Fedora. > And even if I'd do all that (I gave up after two iterations), then I > need to manually track updates for all those packages. Otherwise I risk > exposing my development environment for yet another attack vector. Well, > by installing ots client I do that anyway, but by not updating that > stuff, I make things easier for the attacker, because he/she could use > publicly known, already patched vulnerabilities. Definitely an issue. You also have the problem that timestamping inherently requires communication with the outside world - a Qubes-specific RPC "firewall" could be a good idea here, as you suggest below. > I have better use for my time... > > I see two solutions for this problem: > 1. Package all the dependencies for Fedora (preferred) and/or Debian. > 2. Make a split-gpg-like integration so those possibly > outdated/backdoored (pip install...) packages would run in separate VM > (maybe even DispVM). > > I'm not sure about ots client interface, but the second approach may be > not that hard to implement. When you say "Fedora", what exact version do you need it for? I have clients who need RPM packages for this anyway. Also, what's the best infrastructure to provide for this? Like, on Ubuntu I could provide packages via Launchpad, but I don't know if there's an equivalent for Fedora. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180310233950.GA6305%40savin.petertodd.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
