Re: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On Wed, Jun 29, 2022 at 1:46 PM Ravi Dwivedi wrote: > Since the below mentioned analysis of Debian's security, and that too > compared to other distros, is not very well-known outside of Debian > project honestly i don't believe it's even widely known *in* the debian project [quite how damn good what they have is, compared to everything else] > (it didn't come up in any internet searches, the web of trust > gets mentioned but there is not much explanation on it), I suggest > writing in somewhere in Debian wiki or blog post. my replies on this topic keep getting filtered. annoyingly. http://lkcl.net/reports/wot/ http://lkcl.net/reports/wot/Makefile http://lkcl.net/reports/wot/wot.tex http://lkcl.net/reports/wot/wot.pdf > I am willing to write that as well if the Debian project does not have > any problems. patches welcomed to the above (or links to it). yes, debian has a "perception" problem. there are plenty of complaints "But It's Rubbish Because It's So Long To Releases" and the complainers basically have f***-all knowledge of precisely *why* debian's is both resilient and stable, or quite how much work went into making that happen. but to be honest with NixOS developers *genuinely* believing both that their distro is "secure" as well as "The World's First Reproducible Build Distro", given that they had absolutely no idea that debian and fedora both started the work on reproducible builds over 8 years ago, https://archive.fosdem.org/2014/schedule/event/reproducibledebian/ without which NixOS couldn't even begin to make its incorrect claims, and that the NixOS developers had never even seen the wiki page nor the build graph, https://wiki.debian.org/ReproducibleBuilds this indicates that there's a much bigger perception problem for debian that goes way beyond just security and the web-of-trust. how to fix that? honestly i have no idea. should debian developers even care, and just get on with what they do best? (serious question!) l.
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On Mon, May 23, 2022 at 7:59 PM Adam McKenna wrote: > You are talking about a deterrent though. I think the question is, > what if someone cares more about their political cause than > retaining their uploader access? they get one and only one chance to do something that stupid. > What if someone's keys are compromised the response is swift: there was a debian developer wrongfully arrested for running a TOR exit node. their key was revoked immediately. l.
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
> they get one and only one chance to do something that stupid. So the answer is that we have no way of preventing a developer from intentionally sabotaging a package in any / as many ways as they choose and the only risk to them is losing their uploader access after the fact? >the response is swift: there was a debian developer wrongfully arrested for running a TOR exit node. their key was revoked immediately. How was this incident detected? On Mon, May 23, 2022 at 12:07 PM lkcl wrote: > On Mon, May 23, 2022 at 7:59 PM Adam McKenna wrote: > > You are talking about a deterrent though. I think the question is, > > what if someone cares more about their political cause than > > retaining their uploader access? > > they get one and only one chance to do something that stupid. > > > What if someone's keys are compromised > > the response is swift: there was a debian developer wrongfully > arrested for running a TOR exit node. their key was revoked > immediately. > > l. >
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
> anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked. You are talking about a deterrent though. I think the question is, what if someone cares more about their political cause than retaining their uploader access? What if someone's keys are compromised and an attacker uploads a compromised package? Do we have ways of detecting these breaches or do we rely solely on user reports? On Mon, May 23, 2022 at 11:22 AM lkcl wrote: > On Mon, May 23, 2022 at 6:28 PM Adam McKenna wrote: > > > > > i believe the answer is in the question. debian is based on > distributed trust. i did the analysis (took 3 weeks): it is literally the > only distro in the world with an inviolate chain of trust from a large > keyring dating back 20 years that is itself GPG-signed as a package, with a > package distribution chain from source where all components within the > chain up to release are unbroken and inviolate. > > > > This is not an answer to the question though, OP was asking how we > prevent abuse of that trust. > > reputation, and potentially criminal and civil proceedings. > > all identities are known, and inviolate-known [through the > above-described chain]. > anyone stupid enough to abuse their position may only do so once, at which > point their GPG key is revoked. > > given that GPG key-signing parties require people's real-world identities > to be known, it is easy to track down who signed whose key (it's right > there in the keyring-archive], and request that the signer provide > assistance > to the relevant authorities in proving that real-world identity. > > this will sufficiently piss off those people that trusted them that they > will > be unlikely to work with them ever again [reputation] > > in addition there is the Debian Trademark which if brought into disrepute > through abuse could be utilised to seek damages against the perpetrator. > > bottom line is that it would be a spectacularly stupid thing to do to > violate > the trust and responsibility of being a Debian Maintainer, and the really > interesting bit to me is that this all works in an entirely distributed > manner > and can all entirely be done entirely without a single centralised > authority, > i.e. *not* having to trust f*g google or f*g github with anyone's > real-world identity in any way shape or form. > > l. >
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On Mon, May 23, 2022 at 07:22:40PM +0100, lkcl wrote: > > > i believe the answer is in the question. debian is based on distributed > > > trust. i did the analysis (took 3 weeks): it is literally the only > > > distro in the world with an inviolate chain of trust from a large keyring > > > dating back 20 years that is itself GPG-signed as a package, with a > > > package distribution chain from source where all components within the > > > chain up to release are unbroken and inviolate. > > > > This is not an answer to the question though, OP was asking how we prevent > > abuse of that trust. > > reputation, and potentially criminal and civil proceedings. > > all identities are known, and inviolate-known [through the > above-described chain]. (there is no mechanism to tie a GPG key to an actual person or to find who actually did the signing) > anyone stupid enough to abuse their position may only do so once, at which > point their GPG key is revoked. (only after the abuse is found) > given that GPG key-signing parties require people's real-world identities > to be known, (depends on your definition of "people's real-world identities") > it is easy to track down who signed whose key (it's right > there in the keyring-archive], and request that the signer provide assistance > to the relevant authorities in proving that real-world identity. (doubtful, considering how GPG key-signing parties actually work) -- WBR, wRAR signature.asc Description: PGP signature
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On Mon, May 23, 2022 at 6:28 PM Adam McKenna wrote: > > > i believe the answer is in the question. debian is based on distributed > > trust. i did the analysis (took 3 weeks): it is literally the only distro > > in the world with an inviolate chain of trust from a large keyring dating > > back 20 years that is itself GPG-signed as a package, with a package > > distribution chain from source where all components within the chain up to > > release are unbroken and inviolate. > > This is not an answer to the question though, OP was asking how we prevent > abuse of that trust. reputation, and potentially criminal and civil proceedings. all identities are known, and inviolate-known [through the above-described chain]. anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked. given that GPG key-signing parties require people's real-world identities to be known, it is easy to track down who signed whose key (it's right there in the keyring-archive], and request that the signer provide assistance to the relevant authorities in proving that real-world identity. this will sufficiently piss off those people that trusted them that they will be unlikely to work with them ever again [reputation] in addition there is the Debian Trademark which if brought into disrepute through abuse could be utilised to seek damages against the perpetrator. bottom line is that it would be a spectacularly stupid thing to do to violate the trust and responsibility of being a Debian Maintainer, and the really interesting bit to me is that this all works in an entirely distributed manner and can all entirely be done entirely without a single centralised authority, i.e. *not* having to trust f*g google or f*g github with anyone's real-world identity in any way shape or form. l.
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
> i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate. This is not an answer to the question though, OP was asking how we prevent abuse of that trust. On Sun, Apr 17, 2022 at 12:42 PM lkcl wrote: > > > On 17/04/2022 19:26, Satvik Sinha wrote: > > > abusing your OS's reputation? > > i believe the answer is in the question. debian is based on distributed > trust. i did the analysis (took 3 weeks): it is literally the only distro > in the world with an inviolate chain of trust from a large keyring dating > back 20 years that is itself GPG-signed as a package, with a package > distribution chain from source where all components within the chain up to > release are unbroken and inviolate. > > take ubuntu for example: whilst it has the exact same technology the size > of the developer pool, comprising the web of trust, is both much smaller > and also controlled by one Corporation: Canonical. Canonical says "jump", > the developers ask "how high". > > take Suse, Fedora etc: their RPM packages break the chain of trust by > failing to properly include a GPG Signature of the Release (i do not recall > the exact details, i did the analysis 4 years ago) > > take Archlinux: their community is vulnerable to unverified github > repositories being abandoned, a hacker re-registering them, and a trojan > uploaded and distributed automatically. > > i won't even bother going into the absolute moronic practice of "trusting" > HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with > the website being a prime hacking target if nothing else. > > even GNU packages are hopelessly inadequately secure as far as social > engineering and hacking are concerned. > > debian is not a single centralised repository, it is controlled by no-one. > you have to compromise hundreds of independent developers before you make > any headway, and as a result it was trusted by e.g. the Venezuelan > Government as the basis for their own distro, many years ago. > > there is not even a centralised dependency on a website: packages may be > securely distributed by Carrier Pigeon or printed out on paper and OCR > scanned if you really want to because there is a full GPG Chain and > Checksums, right back to the source code. > > and that (GPG Chains) basically, is the key. anyone stupid enough to do > something stupid is going to be throwing away their reputation, not just > within the debian project as a maintainer, but for life. > > you abuse your position as a maintainer by putting in trojan code, because > that trojan package had to be GPG Signed, you have to make a *public and > irreversible declaration* which will remain in historical archives for the > rest of your life and beyond. > > this would result in catastrophic consequences for not just their > involvement in debian (which would be terminated with prejudice), but > because their GPG Signature on the trojan package is public, inviolate and > irrevocable, it would also have catastrophic consequences for their career > in IT because nobody would ever trust them in a position of responsibility, > ever again. they'd be flipping burgers for the rest of their life. > > fundamentally, then, you are assuming that there is "one controller of > debian", which is false. there are literally hundreds of *independent* > developers, all of whom know their responsibility, all of whom know that > they have all other independent developers keeping an eye on them. > > this makes debian pretty much the only distro that could be trusted to > remain true to humanity and to its principles and its charter. even when > some of them (you know who you are) are when it comes down to it not very > nice people, they can at least be trusted to do the right thing. > > l. > > > >
Re: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
> Do you have a publication of that analysis? I was thinking the same > about the organization of Debian for some time but never did analysis > or compared it to other distros. i found it here http://lkcl.net/reports/wot/ it's dated 2017 (not a bad guess, 4 years). please bear in mind, the primary reason for writing it was to help a group that was (still is) severely lacking in both technical security understanding and also infrastructure within their distro. as a group they genuinely believed that SSL would be beneficial in some way. a leading gnunet developer on the list made one single comment and then, knowing that the size of the group was large and comprised largely non-security-conscious individuals, knew that any further discussion would be... unwise, declined to take part further. naively, i tried my best to explain it (hence this document - which contains a detailed appendix outlining why SSL is dangerous as it was the primary focus of bikeshedded "but it'll add an extra layer of security") i was intending to document the examples of other Distros, but the bikeshedding degenerated into verbally-abusive behaviour and i was so shocked that i terminated further planned development of the document (and left the group). this has left some of the thoughts which i outlined in my post unpublished. the general idea was - and i would welcome contributions here (http://lkcl.net/reports/wot/wot.tex - also see Makefile in the same dir) the general idea was to add example Distros, explaining where they break down, because they break one (or more) of the chain of integrity, referring clearly to the "Requirement" as a way to do so. (and then clarifying the requirements further, in an iterative process) for example Ubuntu violates at least Requirement 11, because the size of the group comprising the ring-of-trust is too small, and the integrity of the group is compromised because they may be threatened with salary reductions or loss of employment if they don't do what the Corporation demands. it sounds obvious once expressed, but i can guarantee that it's not even remotely on the radar of the average ubuntu user. i do have to say that having a public document like this would go a long way towards preventing some of the criticism that Debian receives for "being slow to react" and "being too complex" or "not secure enough" i've had discussions with NixOS developers recently, who genuinely believe that Debian is vulnerable and NixOS is better because, their words, "debian doesn't have reproducible builds." rather embarrassingly i had to explain to them that the reason why they're having an easy time of adding reproducible builds to NixOS is because both debian and fedora originally did all the heavy lifting, and have had reproducible builds for what... 8 years now? those distros *paved the way*... oh and then didn't really talk about it or promote it. hence why NixOS developers genuinely believe that they are "the world's first secure reproducible build distro". explaining to them that relying on github and unverified unsigned git checkins is a bad idea (no commits and no packages are GPG-signed in NixOS) took multiple round-trips, spanning over a week. > Also I like to add that reproducible builds are an excellent addition > to the mechanisms you are describing. very true: they'd be part of the integrity-checking, down to the binary level. interestingly (this from my Software Engineering training) it'd be added to the section on Functional Specification, not necessarily Requirements. if added to Requirements it would be worded something like: "Other Maintainers should be able to verify the full integrity of a package by reproducing its contents from the original source" the *implementation* of that - part of the Functional Specification - would mention "reproducible builds" because that is *how* you fulfil the Requirement. i'd be delighted to receive a patch to the .tex file to add that: please do also remember to add an appropriate Copyright notice at the same time, should you choose to contribute. http://lkcl.net/reports/wot/wot.tex best, l. --- crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
> i did the analysis (took 3 weeks) Do you have a publication of that analysis? I was thinking the same about the organization of Debian for some time but never did analysis or compared it to other distros. Also I like to add that reproducible builds are an excellent addition to the mechanisms you are describing. Regards
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Oh On Mon, 18 Apr 2022, 00:00 Daniel Pocock, wrote: > > On 17/04/2022 19:26, Satvik Sinha wrote: > > Hi,guys and Good Day! So in recent days ,it was observed that many open > > source contributors vandalised their or someone else's project's > > reputation to show agendas of Russia-Ukraine war, Some even vandalised > > their project to destroy system in Russia and Belarus (Node-ipc being > > one of them) that affected many people and their trust on open-source > > software. So I wanted to ask How safe is Debian doing right now and how > > will you guys prevent contributors pushing such malicious code into your > > software and how will you detect a software getting vandalised to showed > > Anti-war agenda by abusing your OS's reputation? > > If there are backdoors in Debian then they are harder to detect. Large > intelligence agencies aim for plausible deniability. Look at the > infamous OpenSSL vulnerability[1]. After investing so much time > planting agents and backdoors in Debian, they will not want to blow > their cover by doing something so brash. > > There has recently been evidence on Debian Community News about some > cases, for example: > > Paul Tagliamonte and Sam Hartman and their Pentagon connections, with > photos > > Jonathan Wiltshire and Chris Lamb having GCHQ proximity, with a map > > There are approximately 1000 Debian Developers and when one of us makes > an upload, there is no obligation for somebody else to check it. On the > other hand, there is a period of days or weeks before new uploads can > propagate to stable systems. This may make it more robust if you only > use stable. > > debian-proj...@lists.debian.org is now being censored to stop > discussions like this about Debian integrity. > > Regards, > > Daniel > > 1. > > https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ > > -- > Debian Developer > https://danielpocock.com >
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On 17/04/2022 19:26, Satvik Sinha wrote: > abusing your OS's reputation? i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate. take ubuntu for example: whilst it has the exact same technology the size of the developer pool, comprising the web of trust, is both much smaller and also controlled by one Corporation: Canonical. Canonical says "jump", the developers ask "how high". take Suse, Fedora etc: their RPM packages break the chain of trust by failing to properly include a GPG Signature of the Release (i do not recall the exact details, i did the analysis 4 years ago) take Archlinux: their community is vulnerable to unverified github repositories being abandoned, a hacker re-registering them, and a trojan uploaded and distributed automatically. i won't even bother going into the absolute moronic practice of "trusting" HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with the website being a prime hacking target if nothing else. even GNU packages are hopelessly inadequately secure as far as social engineering and hacking are concerned. debian is not a single centralised repository, it is controlled by no-one. you have to compromise hundreds of independent developers before you make any headway, and as a result it was trusted by e.g. the Venezuelan Government as the basis for their own distro, many years ago. there is not even a centralised dependency on a website: packages may be securely distributed by Carrier Pigeon or printed out on paper and OCR scanned if you really want to because there is a full GPG Chain and Checksums, right back to the source code. and that (GPG Chains) basically, is the key. anyone stupid enough to do something stupid is going to be throwing away their reputation, not just within the debian project as a maintainer, but for life. you abuse your position as a maintainer by putting in trojan code, because that trojan package had to be GPG Signed, you have to make a *public and irreversible declaration* which will remain in historical archives for the rest of your life and beyond. this would result in catastrophic consequences for not just their involvement in debian (which would be terminated with prejudice), but because their GPG Signature on the trojan package is public, inviolate and irrevocable, it would also have catastrophic consequences for their career in IT because nobody would ever trust them in a position of responsibility, ever again. they'd be flipping burgers for the rest of their life. fundamentally, then, you are assuming that there is "one controller of debian", which is false. there are literally hundreds of *independent* developers, all of whom know their responsibility, all of whom know that they have all other independent developers keeping an eye on them. this makes debian pretty much the only distro that could be trusted to remain true to humanity and to its principles and its charter. even when some of them (you know who you are) are when it comes down to it not very nice people, they can at least be trusted to do the right thing. l.
Re: Concerns about Security of packages in Debain OS and the Operating system itself.
On 17/04/2022 19:26, Satvik Sinha wrote: > Hi,guys and Good Day! So in recent days ,it was observed that many open > source contributors vandalised their or someone else's project's > reputation to show agendas of Russia-Ukraine war, Some even vandalised > their project to destroy system in Russia and Belarus (Node-ipc being > one of them) that affected many people and their trust on open-source > software. So I wanted to ask How safe is Debian doing right now and how > will you guys prevent contributors pushing such malicious code into your > software and how will you detect a software getting vandalised to showed > Anti-war agenda by abusing your OS's reputation? If there are backdoors in Debian then they are harder to detect. Large intelligence agencies aim for plausible deniability. Look at the infamous OpenSSL vulnerability[1]. After investing so much time planting agents and backdoors in Debian, they will not want to blow their cover by doing something so brash. There has recently been evidence on Debian Community News about some cases, for example: Paul Tagliamonte and Sam Hartman and their Pentagon connections, with photos Jonathan Wiltshire and Chris Lamb having GCHQ proximity, with a map There are approximately 1000 Debian Developers and when one of us makes an upload, there is no obligation for somebody else to check it. On the other hand, there is a period of days or weeks before new uploads can propagate to stable systems. This may make it more robust if you only use stable. debian-proj...@lists.debian.org is now being censored to stop discussions like this about Debian integrity. Regards, Daniel 1. https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ -- Debian Developer https://danielpocock.com