<div dir="ltr">There's been a lot of discussion on this, which is surprising given that this is the wrong place for it. Maybe next we can discuss how to improve AutoYAST or IIS.<div><br></div><div>Some people seem to have forgotten that CentOS, despite the recent change in employment status of several of its core members, is the *downstream* rebuilder. They get their sources via <a href="http://git.centos.org">git.centos.org</a> from a prominent North American Linux reseller, just like the rest of us.</div>
<div><br></div><div>Read that again: CentOS is not special. They are *consumers* of the sources, not the producers.</div><div><br></div><div>No, really.</div><div><br></div><div>So if CentOS pushed a zillion signed tags to <a href="http://git.centos.org">git.centos.org</a>, that'd only mean that CentOS trusts those sources. If, as Nico suggested, <a href="http://git.centos.org">git.centos.org</a> was pwned, then CentOS just certified bogus sources. IOW, a signed tag from Jim, or Johnny, or KB, or any of the other CentOS devs means precisely fuck-all, and not a bit more, because they get the sources through the EXACT SAME distribution channel that the rest of us do. CentOS is not special, they just look that way. Really, if this is the assurance you want, just add your own signed tags to your local repo -- it's just as meaningful.</div>
<div><br></div><div>What do we want? FUCK-ALL! When do we want it? NOW!<br></div><div><br></div><div>If you want *actual* cryptographic assurance that the sources you're grabbing from <a href="http://git.centos.org">git.centos.org</a> are the same sources pushed there by the *upstream* vendor, maybe, just maybe, you should ask that upstream vendor. Otherwise it's just garbage in, garbage out, and they're only certifying that the sources you download match the sources someone else downloaded. I guess misery loves company, but that sure doesn't seem helpful.</div>
<div><br></div><div>I'll warn you, though, since the specter of the all-powerful NSA was raised: they already have Red Hat's signing keys. And yours, too.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Sun, Jul 6, 2014 at 5:54 PM, Nico Kadel-Garcia <span dir="ltr"><<a href="mailto:nkadel@gmail.com" target="_blank">nkadel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On Sun, Jul 6, 2014 at 5:23 PM, Mark Mielke <<a href="mailto:mark.mielke@gmail.com">mark.mielke@gmail.com</a>> wrote:<br>
<br>
> A PGP-signed tag makes a promise about the content but does *not* make a<br>
> promise about the origin host.<br>
><br>
> So, they are not the same.<br>
><br>
> In the case of <a href="http://git.centos.org" target="_blank">git.centos.org</a>, somebody who manipulates the repositories<br>
> could likely fake the repository content being consistent, but would have a<br>
> more difficult time faking a signature where the public key is stored<br>
> elsewhere that <a href="http://git.centos.org" target="_blank">git.centos.org</a> (such as one of the PGP key servers). The<br>
> SSL/SSH for <a href="http://git.centos.org" target="_blank">git.centos.org</a> would continue to pass, but the signature would<br>
> not.<br>
><br>
> The other case already mentioned was the case that the content has an<br>
> intermediate resting point. That is, I clone from <a href="http://git.centos.org" target="_blank">git.centos.org</a>, and then I<br>
> publish to somebody else. How do they know which content is authentic...<br>
> mine or <a href="http://git.centos.org" target="_blank">git.centos.org</a>? Being able to point to the signed tag shows<br>
> cryptographically who signed the content and this could be an important<br>
> differentiator in determining which source is the "real" source.<br>
<br>
</div>In theory, someone could publish a faked GPG tag to go with it. But<br>
GPG tags are *much* more portable and applicable to arbitrary content.<br>
They seem to be fundamental to the way Red Hat has been publishing RPM<br>
and SRPM's for years, and the way CentOS does, to allow reasonably<br>
safe third party mirrors to carry the software.<br>
<div class=""><br>
><br>
> Now:<br>
>><br>
>><br>
>> the bottom line is that unless you can get an authoritative manner of<br>
>> initial keyexchange, that you can absolutely trust, nothing else down<br>
>> the line is going to be any more secure than the initial handover. I'm<br>
>> happy to setup a keysign and keyexchange event at every dojo we run, but<br>
>> even that is likely to only reach a small fraction of the entire userbase.<br>
<br>
</div>There are too many SSL environments that have *no* reliable key<br>
exchange for the upstream site, due to mandataory or mishandled<br>
proxies or local caching of the software repository. I've pointed out<br>
a few.<br>
<br>
Worse, once a <a href="http://git.centos.org" target="_blank">git.centos.org</a> repository is cloned locally, upstream<br>
SSL is no longer necessarily used. It is certainly possible to clone a<br>
repository with all commits *up to* the commit transaction for the<br>
final SRPM build and manipulation of '[package].metadata', then inject<br>
a local commit after that change, along with arbitrary trojan content.<br>
<br>
The link to the upstream SSL repository would no longer necessarily be<br>
used. One could do a comparison against the upstream repository at<br>
<a href="http://git.centos.org" target="_blank">git.centos.org</a>, but that's an extra and unexpected step.<br>
<div class=""><br>
>> So the only way to get the originating gpg key ( that you'd verify<br>
>> against ) is over ssl on the internet, which also implies that having<br>
>> <a href="http://git.centos.org" target="_blank">git.centos.org</a> behind the same leave lof trust puts us no worse off.<br>
<br>
</div>Nonsense. It can come from any of dozens if not hundreds of mirror<br>
sites worldwide. And it can be verified in a way that SSL cannot, by<br>
reviewing the signature chain personally rather than relying on<br>
centralized certification authorities that have repeatedly proven<br>
themselves incompetent, or that are deliberately suborned as a matter<br>
of local policy.<br>
<div class=""><br>
> I think you may be dismissing the two scenarios... 1) <a href="http://git.centos.org" target="_blank">git.centos.org</a> gets<br>
> compromised, 2) intermediate resting point. Both of these require the<br>
> *content* to be signed. You are only providing authentication of the<br>
> original source which does not address either of these points effectively.<br>
<br>
</div>I'm less worried about <a href="http://git.centos.org" target="_blank">git.centos.org</a> getting p0wned. I am worried<br>
about what you refer to as "intermediate resting points". I'm also<br>
concerned that if *I* make a fork of, say, the OpenSSH repository,<br>
write patches, and submit them or use them, that I have a reliable and<br>
consistent "benchmark" version of the software. If I get p0wned, GPG<br>
tags on the buld versions of upstream software would help me review<br>
and verify, locally, that the template from upstream is good.<br>
<div class=""><br>
> So, I don't think it is correct that the "bottom line" is as you state<br>
> above. The real "bottom line" is that SSL/SSH only authenticates the source<br>
> host. It provides *no* guarantee for the source content.<br>
<br>
</div>You've captured the substance of my concern.<br>
<div class=""><br>
> If you authenticated the content, you wouldn't actually need to authenticate<br>
> the source host. This is how Bittorrent works in general. It doesn't matter<br>
> how the bytes get from point A to point B, as long as the final result has<br>
> the correct *content*. SSL/SSH do not guarantee the correct *content* so it<br>
> is rather ineffective as a means of authenticating the content. It's saying<br>
> "trust me... I'm git.centos.org... what could go wrong?"<br>
<br>
</div>And there are a stack of environments where the SSL is inaccessible,<br>
such as isolated build hosts with no external network access. (I work<br>
with some of thiose.)<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
CentOS-devel mailing list<br>
<a href="mailto:CentOS-devel@centos.org">CentOS-devel@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos-devel" target="_blank">http://lists.centos.org/mailman/listinfo/centos-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Chris St. Pierre
</div>