|
|
Log in / Subscribe / Register

kernel.org compromised

kernel.org compromised

Posted Sep 1, 2011 13:06 UTC (Thu) by eupator (guest, #44581)
In reply to: kernel.org compromised by yokem_55
Parent article: kernel.org compromised

This analysis assumes that the compromised git.kernel.org serves the same contents to everyone, which is not necessarily true.

to post comments

kernel.org compromised

Posted Sep 1, 2011 14:39 UTC (Thu) by epa (subscriber, #39769) [Link]

Obviously instead of releasing "Linux 3.0" Linus should have announced Linux version 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe and instructed everyone to fetch it using git instead of downloading source tarballs. (Really, why are we still doing that?)

kernel.org compromised

Posted Sep 1, 2011 15:25 UTC (Thu) by nix (subscriber, #2304) [Link] (4 responses)

Even if it doesn't, Linus's and Greg's tags are signed and validate against a key fetched long before the compromise: and I very much doubt their private keys are on kernel.org.

kernel.org compromised

Posted Sep 2, 2011 2:34 UTC (Fri) by Duncan (guest, #6647) [Link] (1 responses)

You may be doubting wrong. See the last paragraph of the H-Online coverage, here:

http://www.h-online.com/open/news/item/Security-breach-at...

Apparently the signatures are generated on a server @ kernel.org, and it's as yet unclear whether the crackers had access to all the necessary components for signing, or not.

Duncan

kernel.org compromised

Posted Sep 2, 2011 14:25 UTC (Fri) by nix (subscriber, #2304) [Link]

I'm not talking about the PGP signatures for the tarballs. I'm talking about the signed *tags* in the git tree: the object you see via e.g. 'git show v3.0.4'. That is part of the git repo and cannot be forged without access to Greg's private key. Now a hostile attacker could add a fake one, but the key would be different, and Greg would be certain to notice.

kernel.org compromised

Posted Sep 2, 2011 5:07 UTC (Fri) by eupator (guest, #44581) [Link] (1 responses)

A very good point about GKH - users of his stable trees are indeed protected, assuming they check the signatures. Less so, sadly, about Linus - the tip of his tree isn't signed, and even if it was, I don't have a path of trust to his key.

kernel.org compromised

Posted Sep 2, 2011 14:28 UTC (Fri) by nix (subscriber, #2304) [Link]

The tip isn't signed, but the rcs are, so you know that v3.1-rc4, released Aug 28 2011, is legitimate, and so is all the history leading up to it.

Conclusion: the git tree is not compromised up to that point.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds