Arch Linux and (the lack of) package signing
The Arch Linux user and developer community has been engulfed in sharply divisive debate recently over the issue of package signing. It started when an Arch user blogged about the distribution's lack of package signatures, the security risk it created, and his own frustrations with the core developers' response to the issue. The ensuing argument has since spread to include Arch's development model and a variety of leadership questions, but the root problem remains unsolved: there is still no mechanism to verify the authenticity of "official" Arch Linux packages.
Arch Linux is a non-commercial
distribution that de-emphasizes ease of use in favor of emphasizing
the "responsibility
" of the user to maintain the system
properly, and providing "simple
" and
"code-correct
" tools rather than striving for convenience.
That philosophy evidently attracts a healthy number of users and
contributors, but to some users, the project in practice misses the mark in
the important area of security. Arch Linux practices rolling releases,
with new packages pushed out as tarballs made available on the primary
project server, and mirrored on close to
100 sites around the globe. Although the official installation guide and
download page both emphasize the importance of examining the checksums of
downloads, no packages are signed by individual developers or by the main
project server.
To blogger IgnorantGuru, this constitutes an unacceptable security risk. In February, he blogged about his concerns, noting that without a method for Arch users to verify that a package is unaltered, packages can be replaced with Trojan-horse-laden code. This can happen if the primary server is compromised, but also at any of the mirrors, at network proxies or caches, on local storage, or even through man-in-the-middle hijacking of the download request. While package authentication might not have been important in Arch's early days, he said, the number of contributors and mirrors has grown so much that without signatures, the distribution and its users are sitting ducks.
Package signing protects against attackers' ability to tamper with or replace an uploaded file by providing an independent way for other people to verify that the binary has not been altered since the time it was signed by the developer. If a file server's security is compromised, a simple checksum (such as an MD5 or SHA1 hash) can be replaced with a new hash that matches the tampered-with binary with virtually no additional work for the attacker. That is because a hash is a function of the file contents alone; a digital signature is a function of both the file and the signer's private key. Thus, its authenticity can be verified using the file and a copy of the corresponding public key from a public key server.
Almost all prominent Linux distributions use package signing to allow users and system administrators to verify the integrity of packages. Typically, package uploaders use a private GPG key to sign the package before it is pushed to the release server, and the user's package installer includes support for automatically retrieving the corresponding public key and checking the signature. Support in the package manager itself is not mandatory, however; simply including a cryptographic signature as part of each package's metadata would permit security-conscious users to manually verify that packages have not been tampered with.
IgnorantGuru made that point in a message to the mailing list for developers of Arch's package manager Pacman. There he also lamented what he said was the low priority given to package security by the developers. The topic had come up before, but no one acted on it, and several of the core Arch developers dismissed the subject as an unimportant one that they were not willing to work on personally. IgnorantGuru subsequently asked for the addition of signatures to package metadata (without adding simultaneous support for checking them), and the core developers replied that he should take the issue up with the maintainers of the Arch mirrors he used.
Process, and the lack thereof
Furthermore, IgnorantGuru lambasted the dismissive attitude of the core developers towards the security issue in general. He quoted several of them directly, including comments such as "For me it makes not a big difference if a package is signed or not. It's a nice to have feature and I would be glad if someone would implement it. But for me it has a very low priority," and "Minor performance issues interest me a hell of a lot more than package signing."
A few, he said, did take the issue seriously and had submitted patches to Pacman, but core developers refused to act on them. In the comment thread that followed, supporters came out on both sides, and IgnorantGuru expounded on his claims of key developers resisting the idea, if not openly trying to derail it. He linked to two bug reports he had filed (the second in response to a comment on the first), noting that Allan McRae seemed to be actively trying to keep package signing improvements out of Arch. McRae, he said, repeatedly claimed that he had no interest in package signatures (and frequently stated that anyone who cared to could submit their code), but sought out every discussion of the topic and tried to quash others' efforts to work on a solution.
In the second first bug report, IgnorantGuru even suggested a lightweight
solution that involved only signing the main server's package database,
which would not protect users in the event that the main server is
compromised, but would at least allow them to verify that a given mirror
had not altered the packages it hosted. McRae countered that this approach
still left other attack vectors open (such as the master server itself
being compromised and the signatures and database forged), thus it was not
worth implementing, and that waiting for full support to come to Pacman was
preferable. IgnorantGuru responded, in effect, that this line of thinking is
making the perfect the enemy of the good, and that adding lightweight
signature support provided at least a substantial improvement over "no
signatures whatsoever." McRae also argues that the package signing plan in the
bug reports is "sub optimal
" and proposes a different approach
instead, concluding with a list of unanswered questions about the new
approach. IgnorantGuru calls this an attempt to derail real work by
starting a bike-shedding argument.
In addition to laying out the technical arguments, IgnorantGuru described how his attempts to discuss package signing on the official Arch discussion forum had been shut down by forum moderators. The threads were closed, and then moved to a "dustbin" forum section that is not visible to unregistered users. Subsequently, IgnorantGuru's account was suspended for eight weeks by the moderators, and his IP address blocked.
IgnorantGuru posted a
copy of the message that prompted his forum ban on his personal blog.
In it, he quotes McRae's assertion that he would accept Pacman patches from
other developers, and his assertion that "as usual
" no one
submitted any. He then describes patches sent by himself and other Arch
contributors, and what McRae and other core developers did to prevent
merging them. This second post covers similar ground as its predecessor,
but the comment thread provides even more detail, as McRae eventually joins
in.
As you would expect, there is a lot of heated language between the two, which can make it difficult to separate out the nucleus of each side's complaints. It is clear, however, that other Arch contributors have proposed virtually the same package signing plan as IgnorantGuru in the past, at least as far back as 2008. The core developers have never acted to add signature-checking to Pacman, even though patches have been submitted, yet at the same time have resisted all "interim" solutions as a waste of effort, on the grounds that Pacman is the proper place for package signature work.
For his part, IgnorantGuru posted a Bash script on his own site that allows a user a small amount of integrity checking by comparing the checksums of a package from multiple Arch mirrors. In the weeks since the original post, IgnorantGuru announced that he had given up on the hope that the core developers would ever adopt a package signing solution, and would be moving to a new distribution with a better security model. Most recently he posted about Gnuffy, a fork of Arch Linux that incorporates package signatures and other ideas shunned by the Arch leadership.
Threats
In the final analysis, Arch users are exposed to a security threat both by the distribution's lack of package signing and by the core developer's resistance to adopting it. However much the Arch "philosophy" says each user is responsible for his or her own system, IgnorantGuru is correct in his first blog post when he observes that without signatures, the distribution's infrastructure is vulnerable to every exploit found in every other system on the path between the main project server and the user's PC. Any exploit on the OS used by the HTTP or FTP mirror server can allow an attacker to replace an Arch package, and the user has no way to even detect that the change has been made. A network-based man-in-the-middle attack does not even require finding a root exploit on one of the servers; it could be performed at a router or network access point.
As for McRae and the other core developers resisting outside work to implement package signatures, there are at least two levels at which their recent statements are troubling. First, they (and commenters taking their side) invariably bring up the "stop whining or start coding" retort, or its kinder cousin "patches welcome."
In theory that reply encapsulates the open source approach — anyone with an itch can scratch it — which is true on the surface. But it overlooks the reality of distribution maintainership: some tasks, such as security, are vital to the health of the project, even though they might not be anyone's idea of fun. In addition, as the Arch developers' responses have shown, the gatekeepers to a project can still prevent new code and patches from getting accepted if they so choose.
That of course is the second level at which the core developers' resistance is troubling: the fact that they would prevent security patches from going into the project. Some on the anti-signature camp argue (essentially) that if you don't like any decision made by the core developers, you should leave, and cite Arch's "not for the faint-of-heart" philosophy as justification. But that is in direct opposition to the "patches welcome" response. A distribution cannot invite contributions, but then treat contributors with hostility when they arrive.
Moreover, in Arch's case it hardens the anti-signing camp into a position where it denies the reality of the package-tampering threat. You can already see this in some of the responses to IgnorantGuru and the bug reports he filed: commenters minimizing the statistical likelihood of an attack as grounds for not adopting any package signing plan at all.
Perhaps there is no reason to read ill will into any of McRae or the other Arch developers' resistance to package signing; perhaps they only seem hostile in context. But even if that is the case, by preventing others' code from making it into Pacman and the package database, they are letting Arch Linux users remain sitting ducks, as well as driving them away. It's hard to see how either result improves the project.
[Update: Arch Linux developer (and Pacman lead) Dan McGee strongly disagrees with this article, and has written about it on his blog. Additional comments can be found on our note about his posting as well.]
(Thanks to Roger Leigh for the heads-up on this topic).
| Index entries for this article | |
|---|---|
| Security | Distribution security |
| GuestArticles | Willis, Nathan |
Posted Mar 24, 2011 1:40 UTC (Thu)
by pabs (subscriber, #43278)
[Link] (22 responses)
Posted Mar 24, 2011 8:28 UTC (Thu)
by hickinbottoms (subscriber, #14798)
[Link] (21 responses)
Posted Mar 24, 2011 12:28 UTC (Thu)
by alex (subscriber, #1355)
[Link] (15 responses)
One mitigation would be move from rsync'ing the portage tree (which I believe is still held in CVS) to using a git tree instead. At least this way you can be sure* the metadata hasn't been tampered with between syncs. Of course you still depend on the developer doing due diligence on the first tree.
I'm not sure if the nature of the distribution (being source based) widens or narrows the attack surface.
* YMMV, I don't believe anyone has managed an attack on a git repo yet.
Posted Mar 24, 2011 13:36 UTC (Thu)
by hickinbottoms (subscriber, #14798)
[Link]
This makes it a trivial matter to replace packages without end-user detection if you have write access to a mirror (and there are lots of mirrors). This is the same problem reported in the original article on Arch.
I'm sure you knew this but wanted to point it out since I don't think the presence of the manifest does anything other than to aid detection of corruption of the source tarball during or after download - it doesn't help with indicating package authenticity at all.
I believe there have been discussions over a git-based Portage but it's not got anywhere significant as yet, and GPG-based package signing seems to have been discussed for many years but still isn't stable as far as I can tell.
Posted Mar 24, 2011 19:35 UTC (Thu)
by quentin.casasnovas (guest, #58238)
[Link] (2 responses)
Posted Mar 24, 2011 23:32 UTC (Thu)
by blitzkrieg3 (guest, #57873)
[Link]
Posted Mar 25, 2011 10:03 UTC (Fri)
by alex (subscriber, #1355)
[Link]
Really you want each change to the metadata to be a discreet verifiable commit.
Posted Mar 24, 2011 19:47 UTC (Thu)
by vapier (guest, #15768)
[Link] (10 responses)
anyone who truly cares about security is not going to rely on SHA1 checksums. claiming "use git" is a fix is ridiculous.
plus, you're now syncing the git tree which balloons overhead considerably since the entire history is mirrored and not just the latest set of files. i'm sure the mirrors giving up free space/bandwidth/resources will love that.
Posted Mar 25, 2011 10:10 UTC (Fri)
by alex (subscriber, #1355)
[Link] (9 responses)
And of course you can sign tags with GPG for extra confidence.
As far as bandwidth and diskspace is concerned it would be worth doing some tests before ruling it out as less efficient than rsync. The over the air update protocol is fairly efficient and the .git directory is often smaller than the checked out tree as it's fairly heavily compressed. Plus of course as a developer it's really useful to have the whole history of an ebuild available to you when diagnosing issues or trying to understand why something was done.
Posted Mar 25, 2011 14:04 UTC (Fri)
by foom (subscriber, #14868)
[Link] (3 responses)
Really? Isn't it still only theoretical?
Posted Mar 25, 2011 15:54 UTC (Fri)
by alex (subscriber, #1355)
[Link]
Posted Mar 26, 2011 20:39 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (1 responses)
That's not the same as finding a bytestring which hashes to a given SHA1, which is still easier than to find a bytestring with, together with a given ASCII pre- and postamble, will match that given SHA1.
I don't think there's a feasible attack for the latter. But as SHA1 is considered "broken enough" that it should be phased out, AFAIK current efforts on one-way hashes are more focused on trying to break the several candidates for SHA's replacement, than to break SHA1 'even more'.
Posted Mar 28, 2011 11:01 UTC (Mon)
by nye (subscriber, #51576)
[Link]
In principle yes, but nobody's ever actually done it with full SHA1 - until it gets a bit more broken than it currently is, going beyond proof-of-concept attacks on much reduced versions of SHA1 would still require more computing power than is currently feasible.
>But as SHA1 is considered "broken enough" that it should be phased out
True, it would be a bad choice for something new, but things aren't so terribly bad for SHA-1 yet - hell, there aren't even any pre-image attacks for *MD5* yet AFAIK and that's been considered utterly broken for *years*.
Posted Mar 29, 2011 18:34 UTC (Tue)
by vapier (guest, #15768)
[Link] (4 responses)
you missed the "resources" aspect. high compression means significantly higher cpu/mem usage which makes scaling up much harder. plus, our mirrors now have to run a git daemon to do mirroring ? it just doesnt work out.
as a developer, you can mirror the VCS tree yourself.
Posted Mar 30, 2011 2:08 UTC (Wed)
by smurf (subscriber, #17840)
[Link] (3 responses)
Posted Apr 3, 2011 2:52 UTC (Sun)
by vapier (guest, #15768)
[Link] (2 responses)
Posted Apr 3, 2011 6:17 UTC (Sun)
by smurf (subscriber, #17840)
[Link] (1 responses)
Posted Apr 3, 2011 7:37 UTC (Sun)
by jrn (subscriber, #64214)
[Link]
Perhaps the servers you've been connecting to use the (relatively) new "smart" HTTP support, which negotiates which objects to send using a CGI script.
Posted Mar 24, 2011 15:50 UTC (Thu)
by tetromino (guest, #33846)
[Link] (4 responses)
You are many years out of date :) Gentoo's portage has had the ability to use GPG to sign and verity package manifests since 2004: http://www.gentoo.org/news/20041021-portage51.xml
What is true is that there seems to be no policy requiring Gentoo developers to sign manifests, and as a result, many developers never bother to do so and thousands of packages remain unsigned.
Posted Mar 24, 2011 16:39 UTC (Thu)
by alex (subscriber, #1355)
[Link]
/me makes a note to enable the gpg feature.
Posted Mar 24, 2011 16:46 UTC (Thu)
by hickinbottoms (subscriber, #14798)
[Link]
I suspected as much! However, I looked into this feature today and it doesn't appear to be enabled in the currently marked-stable portage (on my system, at least):
> # emerge ...whatever...
Still, as you say it counts for little if most of the software isn't signed by the mai
Posted Mar 24, 2011 19:48 UTC (Thu)
by vapier (guest, #15768)
[Link]
$ find *-* -maxdepth 2 -name Manifest | wc -l
that is fairly abysmal ...
Posted Mar 24, 2011 6:03 UTC (Thu)
by smurf (subscriber, #17840)
[Link] (6 responses)
Posted Mar 24, 2011 20:28 UTC (Thu)
by BradReed (subscriber, #5917)
[Link] (5 responses)
http://www.toofishes.net/blog/real-story-behind-arch-linu...
Posted Mar 24, 2011 22:09 UTC (Thu)
by giraffedata (guest, #1954)
[Link] (1 responses)
Dan McGee's explanation doesn't cover the censorship, except to mention in passing that it happened and calling the triggering post a "rant that looked more like a blog post." IgnorantGuru says that he was told the problem was that the post was "trolling." I read it, and I don't think this moderator knows what the word means. IgnorantGuru also says the moderator said he was warned multiple times, but he doesn't remember being warned.
McGee makes a good case that IgnorantGuru's criticism was unfair, but I'm still troubled by the silencing of it.
McGee's blog post, by the way, shows him to be hypersensitive and highly defensive with respect to the LWN article. The LWN article is unbalanced, but not dishonest. As a neutral reader, I was aware throughout that I was seeing a report of IgnorantGuru's beliefs. The article's wording is careful enough that it is in fact consistent with McGee's version.
Posted Mar 25, 2011 9:44 UTC (Fri)
by BradReed (subscriber, #5917)
[Link]
The truth is probably somewhere in the middle.
Posted Mar 24, 2011 23:51 UTC (Thu)
by IgnorantGuru (guest, #73857)
[Link] (2 responses)
LWN should be applauded for taking the heat for bringing this issue forward with integrity, and not buying the spent Arch dev arguments that no one has been willing to contribute. That is false - I have also heard privately from many devs who told me they also tried to get things done and hit the same brick wall. And I have been thanked by many Arch users for making them aware of this issue. LWN has their priorities right - they are informing their readers of a serious security problem. Silence and censorship is not the solution. Don't shoot the messenger.
As for package signing being 'almost done' - we'll see. They said this in 2008.
My reply to Dan McGee:
Posted Mar 25, 2011 0:19 UTC (Fri)
by wonder (guest, #64293)
[Link] (1 responses)
Look who's talking. the guy who deliberate block Allan's comments on his blog.
Dan would never do that.
Posted Mar 25, 2011 2:46 UTC (Fri)
by IgnorantGuru (guest, #73857)
[Link]
Posted Mar 24, 2011 6:10 UTC (Thu)
by joey (guest, #328)
[Link]
That approach is not entirely typical -- Debian and presumably most or all of its derivatives use the second approach, where there's a checksum-based trust path to a central file that is signed.
This broadly reminds me of discussions in Debian about how to provide a trust path to packages. Some wanted to embed the signatures inside each package, while others preferred that a central list of packages in the distribution (and checksums) be signed, and some preferred both. There were plusses and minuses to both approaches (for example, if packages are individually signed by their uploaders, how to handle key revocation? if packages are centrally signed, how to handle the checksum path becoming cryptographically broken?), and implementing both methods and deciding between them took time in which there remained little strong security.
Of course, that was many years ago, and I can't remember anyone doing quite the ostrich imitation described in this article.
Posted Mar 24, 2011 6:44 UTC (Thu)
by wonder (guest, #64293)
[Link] (2 responses)
Posted Mar 24, 2011 7:38 UTC (Thu)
by bo (guest, #56215)
[Link] (1 responses)
Note that Allan is the author of a number of these patches.
Posted Mar 31, 2011 20:35 UTC (Thu)
by Lord_REL (subscriber, #72661)
[Link]
Posted Mar 24, 2011 21:54 UTC (Thu)
by jiu (guest, #57673)
[Link] (4 responses)
Posted Mar 24, 2011 23:52 UTC (Thu)
by IgnorantGuru (guest, #73857)
[Link]
Posted Mar 25, 2011 2:40 UTC (Fri)
by nlucas (guest, #33793)
[Link]
As it is, even after reading the other side of the story, I don't see anything wrong with it. No impartial person can deny that even if IgnorantGuru may have gone beyond reason, his main point was still valid, and not answered as it should.
P.S. I don't have any reason to think badly of ArchLinux (nor had in the past or will start now). I still think it's an interesting distro, even if I never used it and maybe never will. To me this just means there are times where perfectly fine people just have a bad moment.
Posted Mar 25, 2011 23:44 UTC (Fri)
by nicooo (guest, #69134)
[Link]
Posted Mar 28, 2011 16:26 UTC (Mon)
by jschrod (subscriber, #1646)
[Link]
For the record: I have never used Arch Linux, don't intend do, and don't know any of the involved persons.
I assume that you are as uninvolved in Arch Linux as I am, otherwise you would have surely noted that when calling for censorship of an opinionated article.
Posted Mar 25, 2011 1:50 UTC (Fri)
by randomguy3 (subscriber, #71063)
[Link]
The impression I get from IgnorantGuru's blog post is of someone who has stamped his foot and yelled and not got his way. I agree with him insofar as I believe that package signing should be implemented, and should be given a higher priority than the pacman developers have apparently given it. However, from what I have read (summaries of the situation by IgnorantGuru and Dan, and some of the bug reports), IgnorantGuru appears to be ignorant (ha ha) of how to go about getting something implemented in an open source project.
Protip 1: simply telling the developers that something is very important for them to do (and even that it's "easy") will not get them on your side.
Protip 2: being antagonistic (which is how IG comes across in https://bugs.archlinux.org/task/23101, for example) will not get them on your side.
In fact, IgnorantGuru's whole approach to this seems to be a textbook example of how not to get a feature you want implemented. He has been antagonistic and demanding, and has failed to get involved in the development process (in the manner generally accepted by the project) while at the same time claiming that implementing signing is easy.
In fact, the main sticking point in this whole issue seems to be that there is no-one who cares sufficiently about package signing that is both able and willing to write and maintain the code, and see the feature through to completion, in a way that is acceptable to the maintainers. And, like it or not, that's what it takes to get something done in a relatively small volunteer-run open source project like Archlinux.
All this is not to absolve Dan and Allan of any wrongdoing, however. But I am not in the least bit surprised that IgnorantGuru has not acheived his goal, given how he went about it.
Posted Mar 25, 2011 5:42 UTC (Fri)
by nonoitall (guest, #73856)
[Link]
Posted Apr 9, 2011 11:25 UTC (Sat)
by i3839 (guest, #31386)
[Link]
I also wrote a patch adding the ability to upgrade only packages that were x days old (the only sensible way to add some stability to a rolling release package system IMHO), and a bunch of buffer overflow fixes for Pacman, but they didn't make it in either as far as I know.
I know others that left the forum/Arch for similar reasons. All very disheartening. Sad that not much changed since I left.
Arch Linux and (the lack of) package signing
Unless I'm out of date I believe Gentoo has also always suffered this, and continues to do so.
Arch Linux and (the lack of) package signing
Gentoo Mitigations?
Gentoo Mitigations?
Gentoo Mitigations?
Gentoo Mitigations?
Funtoo
Gentoo Mitigations?
Security of a git tree
Security of a git tree
I was going from memory but it seems so. Having said that there is a long road from generating collisions to a feasible attack. However from a crypto point of view you are no longer being protected by the maths ;-)
SHA1
Security of a git tree
Security of a git tree
Security of a git tree
Security of a git tree
That works quite well with http.
Security of a git tree
Security of a git tree
It creates a few index files which speed up the job considerably.
(It's typically run from the post-update hook in the shared repository.)
Security of a git tree
Arch Linux and (the lack of) package signing
Gentoo package signing
Arch Linux and (the lack of) package signing
> FEATURES variable contains unknown value(s): gpg
> Portage 2.1.9.42 (default/linux/x86/10.0, gcc-4.4.5, glibc-2.11.3-r0, 2.6.35-gentoo-r12 i686)
Arch Linux and (the lack of) package signing
14438
$ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP SIGNATURE' {} + | wc -l
6032
Arch Linux and (the lack of) package signing
Security by obscurity.
Somebody, by now, should have told them that life doesn't work that way.
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
http://igurublog.wordpress.com/2011/03/24/lwn-picks-up-on...
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
> users and system administrators to verify the integrity of packages.
> Typically, package uploaders use a private GPG key to sign the package
> before it is pushed to the release server
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
It may be biased because an author not directly related to the story may catch the wrong viewpoint, but that doesn't make it wrong - only out of context when more information is available later.
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and (the lack of) package signing
Arch Linux and censorship