Reviewing openSUSE-Tumbleweed Distro
Hi There, Im a contributor to Whonix Anonymous OS(https://www.whonix.org/) and Kicksecure (https://www.kicksecure.com/) i made a tumbleweed preview you can find here: https://forums.whonix.org/t/opensuse-tumbleweed-distro-preview/20561. I wont duplicate the entire post, i will just duplicate the questions i want to discuss (with some more): - No mention of passing TUF, Ticket created: https://github.com/openSUSE/zypper/issues/573 to address this. - Can we have TLS/SSL added by default for Tumbleweed users? The reasoning is explained here (using gpg only is unreliable): https://blog.packagecloud.io/attacks-against-gpg-signed-apt-repositories/. - Is it possible to have onion hidden services for the repositories similar to Debian? The reasoning is explained here: https://www.kicksecure.com/wiki/Onionizing_Repositories#Introduction). - How easy is it to accept new packages? We have Whonix https://github.com/Whonix/ and Kicksecure https://github.com/kicksecure/. Can we just create a new user and start uploading directly, or is there a specific process we need to follow? Please provide details if necessary. - Some packages have been observed to experience delays before reaching users from upstream, which can take more than 6 days (e.g., Firefox https://github.com/Kicksecure/security-misc/issues/138#issuecomment-21455894... and others https://www.kicksecure.com/wiki/Dev/openSUSE#Package_Concurrency). Is this normal, or was it just a one-off delay? - Does Tumbleweed suffer from the metapackage problem https://www.whonix.org/wiki/Debian_Packages#Technical_Information similar to Debian? - As far as I know, Tumbleweed signs both data and metadata, correct? - Can the live CD version be installed offline? I noticed the installer from live-CD requests an internet connection; otherwise, it won’t proceed. - Does openSUSE have the same policy regarding Embedded Copies as Debian https://wiki.debian.org/EmbeddedCopies? I think that's it for now. I hope only developers respond to these questions so I can get the most accurate answers. ThX!
17.10.2024 20:10, bo0od via openSUSE Factory wrote:
- Can we have TLS/SSL added by default for Tumbleweed users? The reasoning is explained here (using gpg only is unreliable): https://blog.packagecloud.io/attacks-against-gpg-signed-apt-repositories/.
Explain how TLS prevents any of the listed attacks.
TLS not only provides encryption but is also used for integrity checking and authentication. How does it prevent attacks? Let's take one example: Replay Attack. Replay Attack: Occurs when an attacker intercepts and resends an old version of a package or metadata, fooling the client into installing outdated or vulnerable versions. With TLS: It ensures that all communication between the client (your system) and the repository server is encrypted and authenticated. Since TLS uses session keys and timestamps, it can detect when a replay attempt is made. By establishing an encrypted and authenticated session with the server, it ensures that the attacker cannot inject an older version of the metadata or package files without detection, as the integrity and authenticity of the transmission is verified in real-time. The link i sent already explains it well for anyone familiar with how TLS works.
On Thursday 2024-10-17 19:10, bo0od via openSUSE Factory wrote:
- Can we have TLS/SSL added by default for Tumbleweed users? The reasoning is
Signatures on the packages ensure authenticity, whereas TLS gives you confidentiality of the download. Of course both are good to have.
explained here (using gpg only is unreliable): https://blog.packagecloud.io/attacks-against-gpg-signed-apt-repositories/.
"""GPG signing a Debian package does nothing because package signatures are not verified by default"""
Sounds more like an apt-specific problem.
- How easy is it to accept new packages? We have Whonix https://github.com/Whonix/ and Kicksecure https://github.com/kicksecure/. Can we just create a new user and start uploading directly, or is there a specific process we need to follow? Please provide details if necessary.
You can just upload. But I see no point in having e.g. https://github.com/Whonix/whonix-base-files in Tumbleweed. The package is described as """This package contains several important miscellaneous files, such as /etc/issue, /etc/motd, /etc/dpkg/origins/whonix, /etc/skel/.bashrc, /usr/bin/whonix, and others.""", and I can tell you, we already have /etc/motd, and we do not exercise dpkg. So whonix-base-files would be dead weight.
- Some packages have been observed to experience delays before reaching users from upstream, which can take more than 6 days (e.g., Firefox https://github.com/Kicksecure/security-misc/issues/138#issuecomment-21455894... and others https://www.kicksecure.com/wiki/Dev/openSUSE#Package_Concurrency). Is this normal, or was it just a one-off delay?
"""Conclusion: From 19 Dec 2023 until 01 Feb 2024, OpenSUSE Tumbleweed is late uploading the new QEMU version for more than 1 month. Nothing happened in all of January 2024."""
Check your investment. Furthermore, latest is not always greatest. Staying behind can be a conscious decision. It seems the guys at kicksecure.com have forgotten that a distro is not just a dull delivery mechanism, but a concerted effort to create a curated ensemble.
- Does Tumbleweed suffer from the metapackage problem https://www.whonix.org/wiki/Debian_Packages#Technical_Information similar to Debian?
Again, it's a conscious decision. The use of --no-recommends has consequences, in particular that programs get installed and then are not living up to user expectations.
- As far as I know, Tumbleweed signs both data and metadata, correct?
yes
- Does openSUSE have the same policy regarding Embedded Copies as Debian https://wiki.debian.org/EmbeddedCopies?
Generally, files downloaded elsewhere are stored as unmodified copies, for reasons of integrity checking.
On Thursday 2024-10-17 19:10, bo0od via openSUSE Factory wrote:
- Can the live CD version be installed offline?
Technically you can, but it will be a manual process where you have to make partitions yourself and copy files over, since yast has no logic that I know of to clone an actively running system to another disk.
participants (4)
-
Andrei Borzenkov
-
bo0od
-
bo0od lo0ol
-
Jan Engelhardt