Results 1 to 3 of 3

Thread: Security of repositories and update scripts

  1. #1
    Join Date
    Jan 2009
    Somewhere in Fictionland

    Question Security of repositories and update scripts

    This is a curiosity I am having quite a time.

    The update repositories are digitally signed. The repository mechanisms are http (and not https).

    The digital signature of build service and the so called community repositories are not automatically recognized by the base distribution. But since there is no physical book with printed fingerprints of the signatures, users are induced to "just trust" the fingerprint proposed.

    Then the update is done http and not https.

    At the light of programs like Ippon and Evilgrade, what is the rational behind these choices? And does this not pose a problem in the near future?

    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    openSUSE should have an efficient web of trust.

  2. #2

    Default Re: Security of repositories and update scripts

    I don't know how these tools work but every time a package changes when you download them it notifies if the md5 sum changed (though sha256 would be safer) and asks you if you want to accept them.
    How does a linux geek make love??

    - rtfm; unzip; strip; touch; finger; mount; fsck; more; yes; umount; zip; sleep;

  3. #3

    Default Re: Security of repositories and update scripts

    My very crude understanding is you can get all the sigs from a public key server. As for checking the web of trust well that is for you to decide but with the few Suse keys, we can presume are trusting counter signing other keys, there is some kinda of crude basic web of trust(Not of a NSA standard of course).

    But to me I do find it a little bit of placebo as many don't check the keys, though I suspect there is a hidden process checking, but once accepted....

    As for repository you should have little to worry about as even though you may use a mirror the initial pkg with the keys will be from download.blah.blah..

    If you google around there was a concern of mirrors and suse due to the initial package doesn't have this weakness as such you can never completely eliminate the mitm all you ever do is move your trust level else where. i.e from mirror to dns spoofing...

    Key signing only really works with a web of trust, and that can only ever be truly guaranteed by meeting them personally and exchanging keys.

    As for sha5, md5 that is something different and not related to security signing, though difficult it would be possible to match the sum.

    Any way my very crude understanding and probably lacking the technical jargon and perhaps keys and signing could be clarified a bit more. But as mentioned if you google the mitm mirror attack you'll find if you're using download and not a mirror.. The article is about the potential for a mirror to hold back an update to allow an exploit. All theoretical and nothing I've ever heard of.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts