kernel.org compromised

Posted Sep 1, 2011 15:25 UTC (Thu) by nix (subscriber, #2304)
In reply to: kernel.org compromised by eupator
Parent article: kernel.org compromised

Even if it doesn't, Linus's and Greg's tags are signed and validate against a key fetched long before the compromise: and I very much doubt their private keys are on kernel.org.

to post comments

kernel.org compromised

Posted Sep 2, 2011 2:34 UTC (Fri) by Duncan (guest, #6647) [Link] (1 responses)

You may be doubting wrong. See the last paragraph of the H-Online coverage, here:

http://www.h-online.com/open/news/item/Security-breach-at...

Apparently the signatures are generated on a server @ kernel.org, and it's as yet unclear whether the crackers had access to all the necessary components for signing, or not.

Duncan

kernel.org compromised

Posted Sep 2, 2011 14:25 UTC (Fri) by nix (subscriber, #2304) [Link]

I'm not talking about the PGP signatures for the tarballs. I'm talking about the signed *tags* in the git tree: the object you see via e.g. 'git show v3.0.4'. That is part of the git repo and cannot be forged without access to Greg's private key. Now a hostile attacker could add a fake one, but the key would be different, and Greg would be certain to notice.

kernel.org compromised

Posted Sep 2, 2011 5:07 UTC (Fri) by eupator (guest, #44581) [Link] (1 responses)

A very good point about GKH - users of his stable trees are indeed protected, assuming they check the signatures. Less so, sadly, about Linus - the tip of his tree isn't signed, and even if it was, I don't have a path of trust to his key.

kernel.org compromised

Posted Sep 2, 2011 14:28 UTC (Fri) by nix (subscriber, #2304) [Link]

The tip isn't signed, but the rcs are, so you know that v3.1-rc4, released Aug 28 2011, is legitimate, and so is all the history leading up to it.

Conclusion: the git tree is not compromised up to that point.