LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

rpm: code execution

rpm: code execution

Posted Apr 5, 2012 22:14 UTC (Thu) by PaXTeam (subscriber, #24616)
In reply to: rpm: code execution by rahulsundaram
Parent article: rpm: code execution

> Your understanding is incorrect.

we'll see about that ;).

> Red Hat signing key compromise didn't happen on several occasions.

i'm sure they'd be really glad to know that for sure but as these things tend to stand, they cannot know that so you can't know that either.

> Just once

you mean one compromise became public enough that it couldn't be swept under the carpet.

> and details are at http://rhn.redhat.com/errata/RHSA-2008-0855.html.

there're no details about the compromise and that on-going investigation seems to have never finished as 4 years after we still don't know what exactly happened (hello kernel.org). yes, you don't know that either.

(Log in to post comments)

rpm: code execution

Posted Apr 5, 2012 23:47 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

Even if one can take your argument that anything might have happen any number of times and nobody knows anything for sure, anyone is still wrong to make a claim without any evidence and I stand by my point that he has merely misunderstood what he has read especially since he also claimed Fedora signing keys were also compromised.

rpm: code execution

Posted Apr 6, 2012 14:36 UTC (Fri) by PaXTeam (subscriber, #24616) [Link]

but you see the problem with your claims is that you didn't present any evidence, therefore you're wrong by your own opinion ;). speaking of the news item you cited, it doesn't actually say that the Fedora signing key remained safe and in fact had there been 100% assurance of that fact, no key changes would have been necessary.

rpm: code execution

Posted Apr 7, 2012 5:29 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

You are not that naive. Proving a negative is not possible. Keys got changed as a precaution which again I am sure you were already aware of.

rpm: code execution

Posted Apr 7, 2012 19:28 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

> You are not that naive.

let's keep this civil ;).

> Proving a negative is not possible.

actually, it depends. i'm pretty sure you could prove that no numbers in the set of the integer powers of 2 are divisible by 3. besides, you're basically saying that you wanted to contradict the OP by making an unprovable statement.

> Keys got changed as a precaution which again I am sure you were already aware of.

i know what they said but that's not what *you* said. you made the blanket statement (again, to contradict the OP) that the Fedora signing key wasn't compromised. not even the Fedora guys dared to make such a statement, why did you then?

rpm: code execution

Posted Apr 7, 2012 20:33 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

OP made a claim without evidence. I asserted it is not true because there is no reasonable evidence for it. Beyond that, I am not really interested in "100% proofs".

rpm: code execution

Posted Apr 7, 2012 21:35 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

you didn't simply disagree with him, you flat out made a counter-claim - without evidence. not exactly a convincing style of discussion, if you ask me ;). second, you're actually wrong about

> OP made a claim without evidence.

the reason for that is simple: when RH/Fedora guys learned of the compromise, they got irrefutable evidence that 1. such a stunt was actually possible, 2. at least one had entity successfuly pulled it off. from this any incident responder will conclude that it must have then been possible for other entities as well and that is actually the reason for the Fedora keychange (RH's saving grace was the HSM): they did *not* have the option/choice of not changing the signing key, they *had* to do it because at that point someone else may have very well had been signing fake packages left and right. to conclude, the OP has every reason to suspect more than one compromise, down to the signing key just because it had actually occured once in the past already. yes that also means that all this package signing security buys one only so much.

rpm: code execution

Posted Apr 8, 2012 1:58 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

You didn't ask OP for any evidence for his claim that Fedora keys were compromised. So I don't find your style convincing either. The latter part is just speculation and you are free to engage in it.

rpm: code execution

Posted Apr 8, 2012 18:55 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]

> You didn't ask OP for any evidence for his claim that Fedora keys were compromised.

why would i have asked him/her if i fundamentally find no fault with his/her thinking? (i explained in previous posts why)

> So I don't find your style convincing either.

for that matter you didn't ask OP *anything* either, you went for a straight counterclaim (more like speculation, really), so it seems you don't find your own style convincing either ;).

> The latter part is just speculation and you are free to engage in it.

it's no less speculation than your own speculation (or as any security profession would call it, wishful thinking ;).

rpm: code execution

Posted Apr 8, 2012 20:50 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

If you find no fault with someone who makes a claim about keys being compromised and multiple compromises without any evidence but choose to interject your own overreaching hypothesis to justify it, I have nothing further to discuss. Good luck with wishful thinking.

rpm: code execution

Posted Apr 8, 2012 21:07 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]

so in the end you fault others for what you yourself have done and at the same time not understand why your 'no other compromise ever' claim is wishful thinking. i rest my case ;).

rpm: code execution

Posted Apr 8, 2012 23:03 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

You engage in false equivalence knowingly (any claim of multiple compromises without evidence is unjustified while it is not possible to ever show that any system has never been compromised). So yes, you are engaging in wishful thinking and I don't buy your argument nor am I convinced by your style. So we can agree to disagree. I rest my case too :-)

rpm: code execution

Posted Apr 6, 2012 15:56 UTC (Fri) by amacater (subscriber, #790) [Link]

OK. My memory may be fallible. Red Hat infrastructure was compromised on at least one occasion; Signing key infastructure was compromised at that time - "dodgy packages" were purportedly signed, IIRC.

Fedora infrastructure was compromised at some separate time: hence the one Fedora instance where there were two sets of packages - one from "old key" one from "new key".

My comment was from memory: but there was more than one occasion, as I recalled.

rpm: code execution

Posted Apr 7, 2012 5:34 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

Not separate time but same. Also, There is no evidence of Fedora signing keys ever been compromised. Fedora did change it as a additional security measure. As to your memory of being more than one such instance I have to say it is faulty

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds