kernel.org frontpage

kernel.org frontpage

[H. Peter Anvin]

Just in case anyone cares :) I have changed the kernel.org frontpage
from linking to .gz to linking to .bz2 files.  It should now also
display snapshot releases if they exist.

	-hpa
-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt	<amsp@zytor.com>

Re: kernel.org frontpage

[John Bradford]

> Just in case anyone cares :) I have changed the kernel.org frontpage
> from linking to .gz to linking to .bz2 files.  It should now also
> display snapshot releases if they exist.

Cool, would it be worth putting in a link to the relevant .sign files
as well?

John

Re: kernel.org frontpage

[H. Peter Anvin]

John Bradford wrote:
>>Just in case anyone cares :) I have changed the kernel.org frontpage
>>from linking to .gz to linking to .bz2 files.  It should now also
>>display snapshot releases if they exist.
> 
> 
> Cool, would it be worth putting in a link to the relevant .sign files
> as well?

No, it would add absolutely nothing (other than clutter.)  All the .sign 
files are good for is to check for rogue mirrors.

	-hpa

Re: kernel.org frontpage

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 263 bytes --]

On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:

> No, it would add absolutely nothing (other than clutter.)  All the .sign 
> files are good for is to check for rogue mirrors.

Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: kernel.org frontpage

[H. Peter Anvin]

Valdis.Kletnieks@vt.edu wrote:
> On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:
> 
> 
>>No, it would add absolutely nothing (other than clutter.)  All the .sign 
>>files are good for is to check for rogue mirrors.
> 
> 
> Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.

NO!

THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.

	-hpa

Re: kernel.org frontpage

[Chris Friesen]

H. Peter Anvin wrote:
> Valdis.Kletnieks@vt.edu wrote:
> 
>> On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:
>>
>>> No, it would add absolutely nothing (other than clutter.)  All the 
>>> .sign files are good for is to check for rogue mirrors.
>>
>> Or a rogue *primary* site, as has already happened to OpenSSH and 
>> Sendmail.
>
> NO!
> 
> THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.

Perhaps for the truly paranoid the signatures should be posted to this 
newsgroup and digitally signed by someone trusted.

Chris


-- 
Chris Friesen                    | MailStop: 043/33/F10
Nortel Networks                  | work: (613) 765-0557
3500 Carling Avenue              | fax:  (613) 765-2986
Nepean, ON K2H 8E9 Canada        | email: cfriesen@nortelnetworks.com

Re: kernel.org frontpage

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

On Wed, 29 Jan 2003 13:36:55 EST, Chris Friesen said:

> Perhaps for the truly paranoid the signatures should be posted to this 
> newsgroup and digitally signed by someone trusted.

It's called the PGP web of trust.  There's already some 107 signatures on
the PGP key - who else would you want signing it?  The point is that we've
already (presumably) proved via the web-of-trust that PGP key 517d0f0e is
in fact the proper key, and that for an intruder to post a valid signature
of a trojaned .tar.gz would require them to *ALSO* compromise the machine
that the signing is done on (hopefully a different machine than ftp.kernel.org).

Yes, an intruder could leave a forged signature with a random key easily. But
to leave a forged signature with the key that's already on my keyring is a
lot harder...
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: kernel.org frontpage

[Andi Kleen]

Chris Friesen <cfriesen@nortelnetworks.com> writes:

> > THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.
> 
> Perhaps for the truly paranoid the signatures should be posted to this 
> newsgroup and digitally signed by someone trusted.

Or just sign them on the ftp site with the key from someone trusted.

-Andi

Re: kernel.org frontpage

[John Bradford]

> > No, it would add absolutely nothing (other than clutter.)  All the .sign 
> > files are good for is to check for rogue mirrors.
> 
> Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.

I see what you mean, but I don't see how it makes it any less useful
to have them on the front page - if you download the latest kernel
patch from a mirror, you could then just click on the relevant link on
the front page of kernel.org - infact, as http access to kernel.org is
frequently much slower than ftp, it might actually be very useful,
because anybody downloading via http would make two requests, (OK,
about 7, because of the images on the front page), instead of about
13, if they traverse each directory to the .sign file.

John

Re: kernel.org frontpage

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:

> I see what you mean, but I don't see how it makes it any less useful
> to have them on the front page - if you download the latest kernel
> patch from a mirror, you could then just click on the relevant link on
> the front page of kernel.org - infact, as http access to kernel.org is
> frequently much slower than ftp, it might actually be very useful,
> because anybody downloading via http would make two requests, (OK,
> about 7, because of the images on the front page), instead of about
> 13, if they traverse each directory to the .sign file.

I was arguing that they *should* be on the front page, since they *are*
useful and it *would* lower the number of requests.

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: kernel.org frontpage

[H. Peter Anvin]

John Bradford wrote:
>>>No, it would add absolutely nothing (other than clutter.)  All the .sign 
>>>files are good for is to check for rogue mirrors.
>>
>>Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.
> 
> 
> I see what you mean, but I don't see how it makes it any less useful
> to have them on the front page - if you download the latest kernel
> patch from a mirror, you could then just click on the relevant link on
> the front page of kernel.org - infact, as http access to kernel.org is
> frequently much slower than ftp, it might actually be very useful,
> because anybody downloading via http would make two requests, (OK,
> about 7, because of the images on the front page), instead of about
> 13, if they traverse each directory to the .sign file.
> 

No, just download the signature from the mirror and verify it.  This
isn't an MD5 signature.

	-hpa

Re: kernel.org frontpage

[H. Peter Anvin]

Valdis.Kletnieks@vt.edu wrote:
> On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:
> 
> 
>>I see what you mean, but I don't see how it makes it any less useful
>>to have them on the front page - if you download the latest kernel
>>patch from a mirror, you could then just click on the relevant link on
>>the front page of kernel.org - infact, as http access to kernel.org is
>>frequently much slower than ftp, it might actually be very useful,
>>because anybody downloading via http would make two requests, (OK,
>>about 7, because of the images on the front page), instead of about
>>13, if they traverse each directory to the .sign file.
> 
> 
> I was arguing that they *should* be on the front page, since they *are*
> useful and it *would* lower the number of requests.
> 

I am not going to do something that will provide false security to
people.  Case closed; please read the signature FAQ.

	-hpa

Re: kernel.org frontpage

[Russell King]

On Wed, Jan 29, 2003 at 01:55:22PM -0500, Valdis.Kletnieks@vt.edu wrote:
> Yes, an intruder could leave a forged signature with a random key
> easily.  But to leave a forged signature with the key that's already
> on my keyring is a lot harder...

I believe a script signs the files on ftp.kernel.org, which means the
private key is on the master machine, probably without a pass phrase.
That means that if the master server is compromised, its highly likely
that a rogue file will have a correct signature.

As hpa says, the GPG signature provides no assurance that Linus put
up patch-2.5.60.bz2 and not some random other person.

The only way to be completely sure is for Linus to gpg-sign the patches
himself at source with a known gpg key using a secure pass phrase before
they leave his machine (preferably before the machine is connected to
the 'net to upload them for the really paranoid.)

-- 
Russell King (rmk@arm.linux.org.uk)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html

Re: kernel.org frontpage

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

On Wed, 29 Jan 2003 19:37:50 GMT, Russell King said:

> I believe a script signs the files on ftp.kernel.org, which means the
> private key is on the master machine, probably without a pass phrase.
> That means that if the master server is compromised, its highly likely
> that a rogue file will have a correct signature.

OK.. I missed that part, and thought somebody was doing a check-and-balance
before files went out.

> The only way to be completely sure is for Linus to gpg-sign the patches
> himself at source with a known gpg key using a secure pass phrase before

Now there's a thought.. ;)


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: kernel.org frontpage

[John Bradford]

> 
> --==_Exmh_1523870505P
> Content-Type: text/plain; charset=us-ascii
> 
> On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:
> 
> > I see what you mean, but I don't see how it makes it any less useful
> > to have them on the front page - if you download the latest kernel
> > patch from a mirror, you could then just click on the relevant link on
> > the front page of kernel.org - infact, as http access to kernel.org is
> > frequently much slower than ftp, it might actually be very useful,
> > because anybody downloading via http would make two requests, (OK,
> > about 7, because of the images on the front page), instead of about
> > 13, if they traverse each directory to the .sign file.
> 
> I was arguing that they *should* be on the front page, since they *are*
> useful and it *would* lower the number of requests.

Sorry, I'd deleted the original message, and didn't want to break the
thread :-)

John.

Re: kernel.org frontpage

[John Bradford]

> No, just download the signature from the mirror and verify it.  This
> isn't an MD5 signature.

Good point, if the main site has been compromised, and the key
obtained, it would be a bit pointless concerning ourselves with
whether the mirror had been compromised separately :-)

John.

Re: kernel.org frontpage

[Hans Reiser]

H. Peter Anvin wrote:

>I am not going to do something that will provide false security to
>people.  Case closed; please read the signature FAQ.
>
>	-hpa
>
>  
>
Are you monitoring the development of SFS by Mazieres?

I believe that would be the best way to handle it.

-- 
Hans

Re: kernel.org frontpage

[Kasper Dupont]

"H. Peter Anvin" wrote:
> 
> All the .sign
> files are good for is to check for rogue mirrors.

I believe I can also use them to check against a MiM
attack against my connection to kernel.org.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);

Re: kernel.org frontpage

[H. Peter Anvin]

Kasper Dupont wrote:
> "H. Peter Anvin" wrote:
> 
>>All the .sign
>>files are good for is to check for rogue mirrors.
> 
> I believe I can also use them to check against a MiM
> attack against my connection to kernel.org.
> 

You can, assuming you have a trust path to the key.

	-hpa

Re: kernel.org frontpage

[John Bradford]

> > All the .sign
> > files are good for is to check for rogue mirrors.
> 
> I believe I can also use them to check against a MiM
> attack against my connection to kernel.org.

Yes.

John.