Re: signed tarballs

[Steve Grubb <sgrubb@redhat.com>]

On Friday, April 14, 2017 9:06:53 AM EDT Paul Moore wrote:
> On Thu, Apr 13, 2017 at 6:25 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
> >> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
> >> 
> >> <bill.c.roberts@gmail.com> wrote:
> >> > Isn't the hash on the https people's page?
> > 
> > No, its on the mail list. The mail list is moderated. Only a handful of
> > people could post a spoofed message.
> > 
> >> > Which last time I looked wasnt throwing cert errors in chrome.
> >> 
> >> Unless Steve has exclusive administrative access to people.redhat.com
> >> (I think it is safe to say he does not, but correct me if I'm wrong
> >> Steve <b>)
> > 
> > Nope.
> > 
> >> you can't trust an unsigned checksum regardless of how
> >> strong the https cert/crypto as the web admin could still tamper with
> >> the data.
> > 
> > They would have to go tamper with the mail list where all the hashes are
> > publicly disclosed, too. There are multiple mail list archives. Then they
> > would have to post the tampered tarball to the Fedora Build System which
> > also publicly discloses hashs. And the Fedora Build System requires
> > several identity checks to check it in and it maintains a log.
> 
> No.  Since there is no authentication to post to this public email
> list all they would have to do is spoof bogus a release announcement
> email from you; yes there are some measures in place to combat things
> like this, but it isn't that hard.  Granted, you might notice this
> attack relatively quickly, but if the attack was timed to happen while
> you were away from your email for an extended period of time (travel,
> etc.) the window could be non-trivial, and even then, how many
> installs could have already been put at risk?
> 
> Steve, it's pretty apparent at this point that you don't want to, and
> aren't likely to, provide any form of signed checksum for the audit
> userspace release.  That's your prerogative, and to some like William,
> they may be content with that level of risk.  However, please don't
> pretend that signing releases doesn't provide an additional layer of
> protection.

As I said in a subsequent email, "we'll go with hashes now and 
work up to signing another day." But I really am serious that the biggest 
threat to the project is not some wild eyed MITM attack targeting a whole 
distribution. Its me. I doubt few people truly understand the impact of the 
bug that Laurent reported and why it moved me to change plans and do a quick 
release. (It was not because ausearch was segfaulting.) Again, I call for more 
testing and bug reports. I know they are in the code. I find a couple every 
day or two.

-Steve