| |||||||||||||
McGee: The real story behind Arch Linux package signingMcGee: The real story behind Arch Linux package signingPosted Aug 8, 2012 7:16 UTC (Wed) by Black_Sector (guest, #86168)Parent article: McGee: The real story behind Arch Linux package signing
I think people are missing an important concept here (I might have missed it somewhere)......Key signing can be a security threat.
What?....
Key signing can be a security threat. Of course what is a 'threat' or not depends on your threat model. If you are running a server for a corporation, yeah, I can see how anonymity could be low priority (no way you are going to 'hide' Google or Amazon.com inside of the darknet). However if you are an end user, perhaps some kind of 'hacktivist', leaving your 'web of trust' all over the internet is F--KING STUPID!
Think about it. You spent hours and hours, maybe weeks setting up your P2P darknet services, blocking javascript, hardening your system, setting up proxies, doing everything in your power to ERASE your personal history and fingerprints from the web and to avoid tracking......And here you are, connecting all over the place with signed keys. Seriously? I dont think people even stop to think about it, as if there was a choice.
Using key encryption is a poor way to protect your anonymity. Actually, its like pouring gasoline on a fire to put it out. It does the OPPOSITE. It might offer some degree of encryption to protect your communication from your ISP or anyone without the right key, but other software can do that BETTER. Yes, better. What you sacrifice for your encryption is leaving your fingerprint that can be tied back to you. It makes a web that identifies you more than any cross-site cookie ever could. It tells the world every single thing about what you have been up to and where, in regard to things you signed off on. Every download, every extension, every app downloaded in your repo.....It tells the world about the person using your computer, you.
So really it depends on your threat model. I hack my apps anyway, and examine their config settings. I like setting my own dependencies rather than having Ubuntu tell me I need DNSMasq installed by default broadcasting my 'localhost' to the outside world after an update....I try to remove it and it breaks my network manager....Just terrible. I like the flexibility of arch.
I am coming from Chakra, but I realized I do not like KDE. So I might go with Liquid Lemur as a starting point, or I might try my hand at a clean install of Arch-Linux.
All this talk about how they do not use signing has CONVINCED me to use Arch again, after considering Gentoo/Sabayon. I am not somebody who wants to string a big 'web of trust' around the net when I am trying to protect my identity instead.
No key signing is a strength, not a weakness.
(Log in to post comments)
McGee: The real story behind Arch Linux package signing Posted Aug 8, 2012 18:13 UTC (Wed) by mathstuf (subscriber, #69389) [Link]
Huh? How is keysigning *packages* a security threat? Sure, signing all outgoing connections from my machine can be a (real life versus technological) security risk, but I cannot agree that not signing packages is some kind of feature.
If you're a hacktivist trying to stay hidden, I don't see how posting *public* builds on Arch would be leading to your goals. In any case, why couldn't it be Arch's key signing packages that go through the buildsystem (and making sure only verified developers submit builds to the system). What I'd like (if I were to consider using Arch) would be to make sure that what I have is what the buildsystem made. I don't think the build system has any notion of anonymity and it would hold no authority (at least to me) if it were anonymous.
If you think that people want an Arch machine to GPG sign all outgoing traffic either people are proposing outlandish signing policies or you're propping up a strawman.
|
|||||||||||||