After getting the News about Microsoft's minor little security flaw (the illicit backdoor into massive amounts confidential information throughout the internet) I got to thinking about the security issues related to downloading rpms and the like. I am sure I am the only person on this list who hasn't read every line of code that I have downloaded or otherwise installed on my box. The others of you who have read all this source may not think this to be much of an issue. I OTOH, being lazy, find myself just a bit uneasy about the security of the code I use.
From time to time I have seen where some packages will have accompanying signature files. I have to admit I never knew how to use these. It is something I need to get a better understanding of. I was thinking that tool such as YAST could have a built in signature checking device that would verify that the downloaded rpm was created by and organization which has undergone some type of integrity verification. Something along the lines of Verisign's issuance of certificates to web sites.
The way this would work is as follows: There is some fine, reliable, company staffed by honest people, e.g., SuSE. SuSE would distribute a CA certificate with their CD. That way we are pretty darn sure we don't accept some impersonator's CA certificate. This CA certificate would already be installed into YAST. When rpms are installed, YAST would check to see if they are properly signed and unaltered. Binary RPMs could even be bound to their related source by hashing the source and including the hash in the binary rpm before signing it. If there were some other major organization distributing rpms, the KDE project, for example, they also could make a CA certificate available. This could be done either through the physical distribution of the certificates on the Linux distribution CDs, or by participating in a network of trusted CAs. By having signed binaries bound to signed source code, one could be sure that they have an rpm distributed by a reputable organization, and could read the source to see if there were any "back doors" or other malicious code. There would be the added advantage that, in the case someone, anywhere in the world, found malicious code, the signature associate with the defective rpm could be published to a common distribution point where the rest of us could compare our installations to this lists. Furthermore, if YAST had the ability to establish TSL ftp sessions using certificates signed by SuSE's CA, we could be sure we are downloading from a trusted sight. An idea that may be a bit too controversial to actually implement is this: SuSE could issue digital certificates based on a one time password included in the distribution. This could even be the registration code. That certificate could enable people who have paid for the latest distribution to access the associated RPMs over the net. That way if you don't have the CD in you hand, you can still access the download site before it is opened to the public. This would be a valuable selling point for the distribution boxes. There may already be some integrity checking going on with the SuSE rpms. If so, I would like to learn about it. Just think folks, not only can we say our source is open so we can read the backdoors ourselves, we can say, we have the whole world looking for malicious code in the source we use, and if its found, we can track it down easily. Steve -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/