Re: [suse-security] Secure updating/installing of packages
/ 2004-07-20 08:11:22 +0200 \ Markus Gaugusch:
On Jul 20, neodaxus@gmx.net <neodaxus@gmx.net> wrote:
theoretically it is possible that modified packages for Linux distributions are made available in order to create backdoors (e.g. through a hacked server or mirror, wrong IP routing / DNS resolving, or simply someone making available manipulated packages at a site under his control).
I wonder how SuSE and other distros protect themselves against this threat. [...] Who knows about SuSE (YOU + Yast)?
All SuSE packages are cryptographically signed with the SuSE build key (build@suse.de). It is automatically installed from the CDs.
In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to install packages that are signed with fully trusted keys, apart from the SuSE key.
sure. but part of the question is, how does SuSE ensure that what they distribute ist not trojaned because the sources of some upstream package already are trojaned? well, I think to some degree you have to trust _someone_ . I like to trust the SuSE people that they know their business, and do some audits. but knowing about the details how they ensure integrity of upstream package sources would be nice anyways ... lge
Quoting Lars Ellenberg <l.g.e@web.de>:
All SuSE packages are cryptographically signed with the SuSE build key (build@suse.de). It is automatically installed from the CDs.
In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to install packages that are signed with fully trusted keys, apart from the SuSE key.
sure. but part of the question is, how does SuSE ensure that what they distribute ist not trojaned because the sources of some upstream package already are trojaned?
well, I think to some degree you have to trust _someone_ . I like to trust the SuSE people that they know their business, and do some audits. but knowing about the details how they ensure integrity of upstream package sources would be nice anyways ...
All SuSE packages are built by SuSE. Security updates are patched by SuSE and rebuilt in order to keep versions matching. In cases where a new version is released to fix a security bug, SuSE backports the patch manually. Redhat also does this, and likely most of the other big linux vendors. If there's a trojan in those patches, somebody's likely to notice. Is it conceivable that a trojaned package could get through? Sure, it's possible. But then, even major closed source vendors have occasionally shipped a product infected with a virus. And, in this case, it would have to be the author of the package that deliberately puts the trojan in. Once found, no one will ever trust that author again, so no programmer is willing to risk it, because it will be found and posted on bugtraq eventually.
participants (2)
-
Lars Ellenberg -
suse@rio.vg