McGee: The real story behind Arch Linux package signing
You can imagine at this point, a year down the road from the first patches, none of the primary pacman developers are very interested in implementing this themselves. Perhaps this is true, with the ironic twist that more than half of the patches on our long-lived gpg branch are from the three main contributors. I think the most truthful statement is that no one wanted to take the lead on this and finish it by themselves. At this point, the work is nearly where it stands today, as most of the additional work I merged in the last few days was simply bitrot cleanups (aside from pacman-key). However, nowhere have you seen any sense of 'even if you produce good work and get things finished we won't take it' attitudes from Allan [McRae] or I."
Posted Mar 24, 2011 19:32 UTC (Thu)
by elanthis (guest, #6227)
[Link] (7 responses)
However, this is still a screw up for LWN and the correct thing to do is to add a large note to the top of the first article that points to this new one and explicitly states that the contents of the first have come under further scrutiny and new information has come to light.
Posted Mar 25, 2011 1:06 UTC (Fri)
by AndreE (guest, #60148)
[Link] (3 responses)
Three years to be pissing around about package signing is a complete joke. That the issue had to become so inflammatory before getting attention is even worse.
I guess if such an obvious security improvement like package signing is not considered important to the distribution and is left to the whims of developer interest, then Arch Linux really just nothing more than a hobby OS.
The volunteer excuse can be now used for anything. Dangerous default permissions? No developer interest! Remote exploit in kernel? No developer interest! Hey, Linux is just a toy OS right? Don't actually expect it to be fit for any purpose.
Posted Mar 25, 2011 21:25 UTC (Fri)
by intgr (subscriber, #39733)
[Link] (2 responses)
Indeed, that's what it is. Arch Linux has never strived to be an enterprise distribution. What do you expect from a group of 30 developers and almost no funding? It's sad that there is no package signing yet, but there are numerous other distros that have it. If that's what you need, use those. But that's what the developers are interested in. Arch Linux often releases updates on the same day as upstreams — usually faster than even the experimental branches of other distros. There is no delay introduced by back-porting patches, security or otherwise. That's what it's all about, being agile and not overcomplicating things.
Posted Mar 26, 2011 12:45 UTC (Sat)
by rleigh (guest, #14622)
[Link] (1 responses)
This is a really strange stance. Distribution security is something *all* distributions need to care about. I may not directly deal with that many end users of the software I package and distribute, but I sure as hell care deeply that they aren't going to get their systems compromised and exploited as a result of anything I do. If I didn't care about the users downloading my software, I'd be asking myself if I should be publicly distributing it at all. Signing packages is the root of all trust a user can have in any files downloaded from a distribution or its mirrors; without that, there is zero basis for any trust--I have no guarantee there has been any tampering at all.
> Arch Linux often releases updates on the same day as upstreams usually
Having the knowledge that the software you are downloading from a mirror is genuine isn't really anything to do with any of this though: it's a fundamental requirement for a modern distribution. Everything should be signed, always. It doesn't matter how quick and "agile" you are getting a release out if your users cannot place *any* trust in the origin and authenticity of the files they are downloading.
Regards,
Posted Mar 26, 2011 14:31 UTC (Sat)
by intgr (subscriber, #39733)
[Link]
I was just saying that Arch Linux *is* a hobby OS, as you suggested yourself; it doesn't aim to be more than that.
You make it sound like package signing is the only important feature about a distro.
Posted Mar 25, 2011 1:38 UTC (Fri)
by AndreE (guest, #60148)
[Link] (1 responses)
Another party has submitted a contested version of events. We have no reason to treat his version as canoncial. LWN did the right thing in pointing to his reply.
And regardless, the wider issue about their attitude to security still stands, regardless of whose story you choose to believe.
Posted Mar 25, 2011 14:14 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link]
Consider the smoking gun. A bug is filed. The bug has code in it which helps fix a problem. Plenty of people leap on the chance to assert that it's irrelevant to the problem. None of them seem to really understand or explain why MD5 isn't a problem here. McGee makes an unsupported claim about relative likelihood of different attack scenarios, and says the patch as provided isn't acceptable because of its format.
The poster asks for reassurance that reformatting will result in acceptance. He hears nothing for three weeks.
Until the LWN article is published, whereupon magically the change at the top of the bug is applied along with a bug fix and the ticket is closed without comment. Spooky.
Plausible MD5 collision attacks rely on the party who makes package A (the "good" package) colluding with the party that makes package B (the "bad" package) to enable the collision so that A and B have the same hash. This is a serious problem in MD5, but it's not clear that it's a practical threat to a Linux distribution. Still, using SHA256 can't hurt.
Posted Mar 31, 2011 10:21 UTC (Thu)
by jschrod (subscriber, #1646)
[Link]
So, where did the content of the first have come under "further scrutiny"? (It's the one-side-view of the story where McGee's is the other-side-view.)
I don't consider last week's report a low point, I consider it very interesting and applaud LWN.net to inform me about that discussion.
For the record: I have never used Arch Linux, don't intend do, and don't know any of the involved persons. I follow this story only because I'm interested in the state of Linux distributions.
I assume that you are as uninvolved in Arch Linux as I am, otherwise you would have surely noted that.
Posted Mar 24, 2011 19:33 UTC (Thu)
by vonbrand (subscriber, #4458)
[Link] (5 responses)
This is unfair to LWN. That an (essential) feature doesn't move forward can't just be blamed on "the reporters/requesters didn't step up to completing the task". Package signing is not just handling signatures for individual packages in the package manager, it needs workflow to ensure only the right files get blessed, key handling, ensuring mirrors can't play shenanigans (see this discussion on package manager security, which McGee himself cites). This is a distribution-wide task, not just package magager hacking.
Posted Mar 24, 2011 23:51 UTC (Thu)
by drag (guest, #31333)
[Link] (4 responses)
I like how Debian does it. Each package is not signed. The list of packages is signed and the list contains hashes of the packages which you can use for validation. Very effective and efficient and requires only minimal changes. hashing is a normal function of package management and is used to detect corruptions caused by downloading errors.
Posted Mar 25, 2011 12:12 UTC (Fri)
by vonbrand (subscriber, #4458)
[Link] (3 responses)
Yes, but signing the contents of the repository has to be done each time a new package shows up (a lag/mistake here breaks all), and it also limits some lone developer from packaging something and just signing the package with a GPG key that can then be checked aganist the standard places. I much prefer the signature being part of the package itself (end-to-end security, if you will).
Posted Mar 26, 2011 10:47 UTC (Sat)
by tzafrir (subscriber, #11501)
[Link] (2 responses)
Do you effectively check your system for revoked GPG keys?
Posted Mar 26, 2011 11:29 UTC (Sat)
by ovitters (guest, #27950)
[Link] (1 responses)
Posted Mar 26, 2011 13:17 UTC (Sat)
by sahko (guest, #54088)
[Link]
Posted Mar 24, 2011 20:15 UTC (Thu)
by Thalience (subscriber, #4217)
[Link] (1 responses)
Petulance, whining, and claiming that your critics have libeled you will not win you any new friends.
Posted Mar 25, 2011 1:25 UTC (Fri)
by randomguy3 (subscriber, #71063)
[Link]
Posted Mar 24, 2011 21:14 UTC (Thu)
by piggy (guest, #18693)
[Link] (4 responses)
This won't affect my inclination to resubscribe, but I don't think a retraction from LWN would be out of order.
Posted Mar 25, 2011 2:29 UTC (Fri)
by ewan (guest, #5533)
[Link] (1 responses)
At the moment it just feels like a case of "he said"/"she said" - we could do with a credibly authoritative take.
Posted Mar 25, 2011 9:57 UTC (Fri)
by bo (guest, #56215)
[Link]
Posted Mar 25, 2011 16:17 UTC (Fri)
by vonbrand (subscriber, #4458)
[Link]
"Very evident axe to grind"? I don't see any "axe grinding" going on; this is an extremely serious security problem for Arch users, that just isn't being addressed by the distribution, as pointed out by LWN. Sure, the original complainant doesn't come across as exactly the most handsome and sharp messenger, but the message stands regardless.
Posted Mar 25, 2011 16:31 UTC (Fri)
by vonbrand (subscriber, #4458)
[Link]
So it is now out of line to comment that on $MAILLIST there is a flamefest, and summarize the positions stated there... Or perhaps the crime is to hint that the problem being discussed is serious and isn't handled by $POWERS_THAT_BE?
Posted Mar 25, 2011 0:23 UTC (Fri)
by IgnorantGuru (guest, #73857)
[Link] (3 responses)
As someone wrote me in email:
At any rate, I posted a brief reply to Dan McGee which can also be read here:
Posted Mar 25, 2011 8:46 UTC (Fri)
by ovitters (guest, #27950)
[Link]
Posted Mar 25, 2011 15:07 UTC (Fri)
by randomguy3 (subscriber, #71063)
[Link] (1 responses)
Which is not to say that he's right and you're wrong, of course. Just that the casual observer would probably be more inclined to believe Dan, because he doesn't come across as paranoid and aggressive.
Posted Mar 26, 2011 0:28 UTC (Sat)
by randomguy3 (subscriber, #71063)
[Link]
Posted Mar 25, 2011 8:44 UTC (Fri)
by rilder (guest, #59804)
[Link]
Posted Aug 8, 2012 7:16 UTC (Wed)
by Black_Sector (guest, #86168)
[Link] (1 responses)
What?....
Key signing can be a security threat. Of course what is a 'threat' or not depends on your threat model. If you are running a server for a corporation, yeah, I can see how anonymity could be low priority (no way you are going to 'hide' Google or Amazon.com inside of the darknet). However if you are an end user, perhaps some kind of 'hacktivist', leaving your 'web of trust' all over the internet is F--KING STUPID!
Think about it. You spent hours and hours, maybe weeks setting up your P2P darknet services, blocking javascript, hardening your system, setting up proxies, doing everything in your power to ERASE your personal history and fingerprints from the web and to avoid tracking......And here you are, connecting all over the place with signed keys. Seriously? I dont think people even stop to think about it, as if there was a choice.
Using key encryption is a poor way to protect your anonymity. Actually, its like pouring gasoline on a fire to put it out. It does the OPPOSITE. It might offer some degree of encryption to protect your communication from your ISP or anyone without the right key, but other software can do that BETTER. Yes, better. What you sacrifice for your encryption is leaving your fingerprint that can be tied back to you. It makes a web that identifies you more than any cross-site cookie ever could. It tells the world every single thing about what you have been up to and where, in regard to things you signed off on. Every download, every extension, every app downloaded in your repo.....It tells the world about the person using your computer, you.
So really it depends on your threat model. I hack my apps anyway, and examine their config settings. I like setting my own dependencies rather than having Ubuntu tell me I need DNSMasq installed by default broadcasting my 'localhost' to the outside world after an update....I try to remove it and it breaks my network manager....Just terrible. I like the flexibility of arch.
I am coming from Chakra, but I realized I do not like KDE. So I might go with Liquid Lemur as a starting point, or I might try my hand at a clean install of Arch-Linux.
All this talk about how they do not use signing has CONVINCED me to use Arch again, after considering Gentoo/Sabayon. I am not somebody who wants to string a big 'web of trust' around the net when I am trying to protect my identity instead.
No key signing is a strength, not a weakness.
Posted Aug 8, 2012 18:13 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
If you're a hacktivist trying to stay hidden, I don't see how posting *public* builds on Arch would be leading to your goals. In any case, why couldn't it be Arch's key signing packages that go through the buildsystem (and making sure only verified developers submit builds to the system). What I'd like (if I were to consider using Arch) would be to make sure that what I have is what the buildsystem made. I don't think the build system has any notion of anonymity and it would hold no authority (at least to me) if it were anonymous.
If you think that people want an Arch machine to GPG sign all outgoing traffic either people are proposing outlandish signing policies or you're propping up a strawman.
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
then Arch Linux really just nothing more than a hobby OS.
Dangerous default permissions? No developer interest! Remote exploit in kernel? No developer interest!
McGee: The real story behind Arch Linux package signing
> other distros that have it. If that's what you need, use those.
> faster than even the experimental branches of other distros. There is no
> delay introduced by back-porting patches, security or otherwise.
> That'swhat it's all about, being agile and not overcomplicating things.
Roger
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
And, where is the new information that has come to light?
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
It affects every distribution shipping GNOME.
Thats every one, besides Slackware. Will we see a LWN article about it?
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
> 2. Every criticism you have levied against the Arch devs is borne out
> in their responses. They haven't implemented package signing and
> checking because it isn't "fun" (in their own words). "Lack of
> leadership" is too kind a way to describe the apparent loathing Arch
> devs have for their users.
http://igurublog.wordpress.com/2011/03/24/lwn-picks-up-on...
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing