McGee: The real story behind Arch Linux package signing

Posted Mar 24, 2011 19:32 UTC (Thu) by elanthis (guest, #6227)
Parent article: McGee: The real story behind Arch Linux package signing

I'm glad you guys posted this. Dan is right that the old article was a complete low point for LWN, but posting his follow up at least shows a desire to make right on past mistakes.

However, this is still a screw up for LWN and the correct thing to do is to add a large note to the top of the first article that points to this new one and explicitly states that the contents of the first have come under further scrutiny and new information has come to light.

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 1:06 UTC (Fri) by AndreE (guest, #60148) [Link] (3 responses)

Hardly. In fact, the original article takes it pretty easy on the Arch hivemind attitude towards package signing.

Three years to be pissing around about package signing is a complete joke. That the issue had to become so inflammatory before getting attention is even worse.

I guess if such an obvious security improvement like package signing is not considered important to the distribution and is left to the whims of developer interest, then Arch Linux really just nothing more than a hobby OS.

The volunteer excuse can be now used for anything. Dangerous default permissions? No developer interest! Remote exploit in kernel? No developer interest! Hey, Linux is just a toy OS right? Don't actually expect it to be fit for any purpose.

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 21:25 UTC (Fri) by intgr (subscriber, #39733) [Link] (2 responses)

then Arch Linux really just nothing more than a hobby OS.

Indeed, that's what it is. Arch Linux has never strived to be an enterprise distribution. What do you expect from a group of 30 developers and almost no funding?

It's sad that there is no package signing yet, but there are numerous other distros that have it. If that's what you need, use those.

Dangerous default permissions? No developer interest! Remote exploit in kernel? No developer interest!

But that's what the developers are interested in. Arch Linux often releases updates on the same day as upstreams — usually faster than even the experimental branches of other distros. There is no delay introduced by back-porting patches, security or otherwise. That's what it's all about, being agile and not overcomplicating things.

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 12:45 UTC (Sat) by rleigh (guest, #14622) [Link] (1 responses)

> It's sad that there is no package signing yet, but there are numerous
> other distros that have it. If that's what you need, use those.

This is a really strange stance. Distribution security is something *all* distributions need to care about. I may not directly deal with that many end users of the software I package and distribute, but I sure as hell care deeply that they aren't going to get their systems compromised and exploited as a result of anything I do. If I didn't care about the users downloading my software, I'd be asking myself if I should be publicly distributing it at all. Signing packages is the root of all trust a user can have in any files downloaded from a distribution or its mirrors; without that, there is zero basis for any trust--I have no guarantee there has been any tampering at all.

> Arch Linux often releases updates on the same day as upstreams usually
> faster than even the experimental branches of other distros. There is no
> delay introduced by back-porting patches, security or otherwise.
> That'swhat it's all about, being agile and not overcomplicating things.

Having the knowledge that the software you are downloading from a mirror is genuine isn't really anything to do with any of this though: it's a fundamental requirement for a modern distribution. Everything should be signed, always. It doesn't matter how quick and "agile" you are getting a release out if your users cannot place *any* trust in the origin and authenticity of the files they are downloading.

Regards,
Roger

McGee: The real story behind Arch Linux package signing

Posted Mar 26, 2011 14:31 UTC (Sat) by intgr (subscriber, #39733) [Link]

You misunderstood what I meant to say. I'm not defending Arch Linux's lack of package signing, I very much understand and agree that it's necessary.

I was just saying that Arch Linux *is* a hobby OS, as you suggested yourself; it doesn't aim to be more than that.

You make it sound like package signing is the only important feature about a distro.

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 1:38 UTC (Fri) by AndreE (guest, #60148) [Link] (1 responses)

Just to add, the contents of the other article haven't "come under further scrutiny" and new information hasn't "come to light".

Another party has submitted a contested version of events. We have no reason to treat his version as canoncial. LWN did the right thing in pointing to his reply.

And regardless, the wider issue about their attitude to security still stands, regardless of whose story you choose to believe.

McGee: The real story behind Arch Linux package signing

Posted Mar 25, 2011 14:14 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

At least some of what's claimed by McGee is contradicted by his own sources. In some places he even directly contradicts himself. Overall my take on this is "Wah, it's mean that people said these thing things about us, even if they were true, they should shut up about it". The attack on LWN itself would be more convincing if he'd said this six months ago, or six years from now, rather than immediately after an article that is critical of him and his project.

Consider the smoking gun. A bug is filed. The bug has code in it which helps fix a problem. Plenty of people leap on the chance to assert that it's irrelevant to the problem. None of them seem to really understand or explain why MD5 isn't a problem here. McGee makes an unsupported claim about relative likelihood of different attack scenarios, and says the patch as provided isn't acceptable because of its format.

The poster asks for reassurance that reformatting will result in acceptance. He hears nothing for three weeks.

Until the LWN article is published, whereupon magically the change at the top of the bug is applied along with a bug fix and the ticket is closed without comment. Spooky.

Plausible MD5 collision attacks rely on the party who makes package A (the "good" package) colluding with the party that makes package B (the "bad" package) to enable the collision so that A and B have the same hash. This is a serious problem in MD5, but it's not clear that it's a practical threat to a Linux distribution. Still, using SHA256 can't hurt.

McGee: The real story behind Arch Linux package signing

Posted Mar 31, 2011 10:21 UTC (Thu) by jschrod (subscriber, #1646) [Link]

Last week's article *had* a link to McGee's blog, besides making it very clear that it reports about an opinion of the story. I read both last week, the article and the blog. IMNSHO, the facts didn't really differ, more the interpretation and reporting of details.

So, where did the content of the first have come under "further scrutiny"? (It's the one-side-view of the story where McGee's is the other-side-view.)
And, where is the new information that has come to light?

I don't consider last week's report a low point, I consider it very interesting and applaud LWN.net to inform me about that discussion.

For the record: I have never used Arch Linux, don't intend do, and don't know any of the involved persons. I follow this story only because I'm interested in the state of Linux distributions.

I assume that you are as uninvolved in Arch Linux as I am, otherwise you would have surely noted that.