From: Joseph Parmelee <jparmele@wildbear.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: "Carlos Martín Nieto" <cmn@elego.de>,
"Olsen, Alan R" <alan.r.olsen@intel.com>,
"Michael Witten" <mfwitten@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Lack of detached signatures
Date: Wed, 28 Sep 2011 16:40:33 -0600 (CST) [thread overview]
Message-ID: <alpine.LNX.2.00.1109281536540.25187@bruno> (raw)
In-Reply-To: <7v1uv01uqm.fsf@alter.siamese.dyndns.org>
On Wed, 28 Sep 2011, Junio C Hamano wrote:
> Joseph Parmelee <jparmele@wildbear.com> writes:
>
>> There is confusion here between the repository and the tarball. Once you
>> have produced the tarball there is NO cryptographic protection against
>> forgeries unless you sign it with GPG.
>
> True.
>
> If I give you a URL http://code.google.com/p/git-core/downloads/list with
> checksums
>
> $ sha1sum git-1.7.7.rc3.tar.gz
> c6ba05a833cab49dd66dd1e252306e187effbf2b git-1.7.7.rc3.tar.gz
>
> You either have to trust that code.google.com/ is not broken, or this
> message is coming from real Junio (provided if you can trust him in the
> first place).
>
How do I know that I am actually connected to code.google.com and not some
other site served up to me by a bogus proxy somewhere?
> BUT.
>
> The world is not so blank-and-white. Trust is ultimately among humans. If
> this message is not from the real Junio, don't you think you will hear
> something like "No, that c6ba05... is forgery, please don't use it!" from
> him, when he finds this message on the Git mailing list? If he does not
> exercise diligence to even do that much, does he deserve your trust in the
> first place?
>
> GPG does add security (if you have the key) but you can do pretty well
> even without it in practice.
>
Nonsense. There is a reason why responsible sites everywhere use detached
signatures on their release tarballs.
>> It is only because kernel.org exercised due diligence in the production of
>> tags and signatures on all their tarballs that the kernel code itself
>> withstood their recent intrusion....
>
> I do not think that is true at all. Developers just dropped *.tar.gz on a
> 'master' machine, and left the rest to a cron job that reflates the
> tarball into *.tar.bz2, sign both using a GPG key, and mirror them to the
> public-facing machines 'www'.
>
> Somebody who had access to the 'master' machine could add a new tarball
> and have it go thru the same exact process, getting signed by the cron.
>
The "cron job" provided the passphrase for the signing as well instead of
requiring a human to authorize the transaction by providing the passphrase
or by some other means? I suspect not. Have you actually used GPG to sign
something?
And even if that egregious error (no human authorization) had been made,
there is the matter of the secret signing key. Of course if the bad guys
have that (and the passphrase) then they have everything and can readily
prepare fraudulent packages. But without a detached signature you are
allowing them to do it even without going to the bother of stealing the
secret key and breaking/stealing the passphrase. Without a dual key
signature, you are providing ABSOLUTELY NO protection against
man-in-the-middle attacks that you will never know occurred, but which will
nevertheless (rightfully) reflect on your project. To just assert that "you
can do pretty well even without it in practice" is just plain irresponsible
and convinces me not to update our copies of git until it returns to
kernel.org and to administrators that understand the situation.
next prev parent reply other threads:[~2011-09-28 23:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 23:48 Lack of detached signatures Joseph Parmelee
2011-09-28 0:03 ` Junio C Hamano
2011-09-28 0:07 ` Michael Witten
2011-09-28 4:17 ` Olsen, Alan R
2011-09-28 7:41 ` Carlos Martín Nieto
2011-09-28 12:36 ` Joseph Parmelee
2011-09-28 16:45 ` Junio C Hamano
2011-09-28 16:55 ` Michael Witten
2011-09-28 16:59 ` Matthieu Moy
2011-09-28 22:25 ` Jeff King
2011-09-28 23:09 ` Ted Ts'o
2011-09-29 0:28 ` Junio C Hamano
2011-09-29 1:59 ` Ted Ts'o
2011-09-29 3:50 ` Junio C Hamano
2011-09-29 13:18 ` Ted Ts'o
2011-09-29 14:40 ` Sverre Rabbelier
2011-09-29 14:50 ` Ted Ts'o
2011-09-29 14:52 ` Sverre Rabbelier
2011-09-29 16:47 ` Joseph Parmelee
2011-09-29 1:29 ` Joseph Parmelee
2011-09-29 1:41 ` Jeff King
2011-09-29 20:31 ` Olsen, Alan R
2011-09-28 22:40 ` Joseph Parmelee [this message]
2011-09-28 17:03 ` Ben Walton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.00.1109281536540.25187@bruno \
--to=jparmele@wildbear.com \
--cc=alan.r.olsen@intel.com \
--cc=cmn@elego.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mfwitten@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox