On Apr 29, 2013, at 6:56 PM, Dennis E. Hamilton wrote: > @Daniel, > > Right, this is about poisoning the committer keys but not touching the SVN, > instead, counterfeiting a binary release downstream, but faking the asc, md5, > and sha1 too. (These would not be at dist, and depend on folks not noticing > because the instructions for how to check correctly are so obscure. It is > very far-fetched, since there are easier exploits that rely on user's not > being equipped to verify what they are getting and not relying on the > authentic download location. > > Another way would be to attack the release candidate in the release manager's > ASF FreeBSD account, although someone who checks the signature might notice > that it is by an unexpected committer. Again, reasonably far-fetched. Two > committers would have to be compromised, or the Release Manager would have to > be compromised and not notice that there is a new fingerprint in the RM's > profile. I like that last one. It has a certain movie-plot plausibility. > Who ever looks for funny business in their profile, or odd materials in their > keys entry? (Note that it is the binaries that are compromised, there is no > messing with the source tarballs.)
When I vote on a release I am looking at the fingerprint. This is where looking for a fingerprint that is on the "Web of Trust" is important. http://people.apache.org/~henkp/trust/ I like Henk's opinion here: > what can I trust, ultimately ? > > The short answer is nothing. > For the ultra sceptics there is no hope. > > • you can't trust the things you did yesterday, because you can't trust > your memory > • you can't trust software you didn't write or hardware you didn't build > • you can't overlook the possibility that apache.org is a fake, set up > especialy to lure you into using bad software > Regards, Dave > > - Dennis > > -----Original Message----- > From: Daniel Shahaf [mailto:[email protected]] > Sent: Monday, April 29, 2013 15:58 > To: Dennis E. Hamilton > Cc: [email protected]; [email protected] > Subject: Re: Proposal: Improve security by limiting committer access in SVN > -- KEYS Compromise Exposure > > Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700: >> 5. This is sufficient to poison a download mirror site with >> a counterfeit download so long as the ASC, SHA1, and MD5 locations >> can also be spoofed without the user noticing. > > Right. The normal answer here is "They will have to commit to the dist/ > repository which will cause a post-commit mail which someone will > notice". I'd be interested in hearing (on infra-dev@) how you break > this without assuming a mirror gets compromised (if _that_ happens, > it's game over for users who don't verify PGP sigs). > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
