Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Gentoo TOTALLY secure now!!!!!!!!!!!!!!!!
simons at cryp
Nov 10, 2004, 7:04 PM
Post #1 of 22 (6282 views)
Permalink
Dear Gentoo Security Experts,

I am very proud to announce that I have managed to perform
the crucial security fix assignment I have been given by
Kurt Lieber and Dan Margolis. After I had kissed some ass,
publicly humiliated myself, and swallowed a couple of dozen
insults, I was deemed worthy enough to do what Kurt referred
to as "to work with [him] to help [finding] ways to fix it".

For various reasons which he didn't bother to elaborate on
the public mailing list -- probably for good reason --, it
turned out that my suggested solution to the fact that
Gentoo users all over the Internet are completely
defenseless against man-in-the-middle attacks was considered
absolutely unfeasible.

So he informed me that the ONLY WAY to do anything against
that little glitch is to sign the daily Portage snapshot
that's available for download with "emerge-webrsync". This
does protect a flabbergasting total of ... I dunno ... maybe
.1 percent of the user base, so it is better than nothing.

Since all the Gentoo developers were unavailable to perform
the necessary modifications to the snapshot creation script
-- for the last 1.5 years -- he kindly sent it to me as a
MIME attachment so that I could "write the code".

Needless to say I was thrilled.

Finally my chance to prove that I am not an idiot, but an
idiot who also contributes to Gentoo!

I managed to software-engineer the necessary "patch" to make
the script generate a full-blown GPG signature for the
snapshot archive, and I would like to post the diffs here so
that the procedure can be peer-reviewed.

So without further ado, here is my contribution:

--- snapshots-create.sh
+++ snapshots-create.sh
@@ -12,7 +12,7 @@
#
# Define locations for stuff
#
-
+SIGNKEYID="41BC28FE99089D72"
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives
TEMP="/tmp/xxxxxxx/" #working directory
#UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing
@@ -42,7 +42,8 @@

/bin/tar --exclude=CVS -cjf ${FILENAME} portage
/usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum
-/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD}
+/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output ${FILENAME}.gpgsig ${FILENAME}
+/bin/mv ${FILENAME} ${FILENAME}.md5sum ${FILENAME}.gpgsig ${UPLOAD}

Now, this is mission-critical software and you really need
to be a top-notch security specialist to do this. So to make
sure there are no problems integrating the script into the
mind-blowingly fragile Gentoo main server setup, I have to
make a few comments to make sure nothing gets messed up
here.

Kurt, I realize that submitting my homework as a diff makes
matters more complicated for you. You have to save that
snippet above to a file and then use the utility patch(1).
If you have _any_ problems with this, please don't hesitate
to let me know, and I'll send you the complete script in
private e-mail.

Before you can use the hardened version of this software,
you have to customize it. Since I have NO ACCESS TO THE
GENTOO SERVERS, the script is tailored for my own system.
The casual readers of this list might want to skip the
following paragraphs, because it's getting really technical
now for a moment.

Everybody else please look closely at the first chunk.
You'll find a line like this:

SIGNKEYID="41BC28FE99089D72"

This statement assigns a variable with the ID of the key
that is going to be used later in the script to generate the
cryptographic signature. I chose to use a variable here so
that the key ID can be configured at the top of the script,
instead of burying that parameter amidst 78 lines of
comments, whitespace, and several complex calls to tar(1)
and other Unix magic. I realize that using a variable adds a
level of indirection which might have performance
implications that are difficult to predict. Kurt, should
this version be too slow to manage the job in time on the
machines, I'll remove that again, okay?

My point about that line is, though: This key ID will NOT
WORK on your machine! The reason is that to issue a
signature, you have to use the secret key of the GPG
key-pair. So although you can download a key with that ID
from every public key server, this will not work! You really
need the secret key.

To make the script work nonetheless you have to:

(1) Start appropriate text editing software. On most Gentoo
machines, the tool nano(1) can be used for this.

(2) Repeatedly hit the cursor-down button on your keyboard
until that white rectangle you're seeing is right over
that SIGNKEYID line from above.

(3) Stop hitting cursor-down now!

(4) If the white rectangle has moved past that line
already, then you have to hit CTRL-Z, then enter

kill -9 %1

and go back to step (1) and try again.

(5) Don't give up.

(6) If you have successfully navigated the white rectangle
to the line, hit cursor-right repeatedly until it has
reached the point right after the first double quote.

(7) Don't give up.

(8) Switch into overwrite mode and enter the ID of your
secret key.

(9) Save the modified script and exit the text editing
software. I'd love to give more details on this step,
but unfortunately the exact procedure is implementation
defined.

After you have successfully edited the key ID to match the
one your secret key has, you should be ready to try it out.
Just enter "snapshots-create.sh" and see what happens.

What do you mean it doesn't work?

Hmmm. Does "./snapshots-create.sh" work?

Doesn't either?

Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh".

Good, now run the "./snapshots-create.sh" command again.

STILL doesn't work?

What does it say on the screen?

Nothing?

Hahaha, now I got it. No, no, that's perfectly alright. It
will take a while for the script to return; that thing runs
a while. Yes, security-related software does require lots
and lots of CPU time; that really can't be helped in any
way, so please be patient.

Now, if the script has returned at last you will find the
following files in the Gentoo download area:

portage-20041109.tar.bz2
portage-20041109.tar.bz2.gpgsig
portage-20041109.tar.bz2.md5sum

Don't be concerned if the filenames don't match exactly.
These numbers depend on the t-coordinate of the system the
script is run on; that is a kind of unique hash to guarantee
that no filename collisions occur.

If this has succeeded, then you have a TOTALLY secure Gentoo
distribution now; there really is nothing left to worry
about.

Just execute "emerge sync", wait until it comes back and ...
everything still works, no hacker has injected any modified
/usr/portage/eclass/eutils.eclass file into your machine,
you are totally SAFE!

Of course, I wouldn't install any new software for the next
1.5 years because there remains a small, insignificant
chance that doing this will erase your hard disk, install
Red Hat Linux, or do other horrible things.

But you know how the old saying goes: Never change a running
system!

Exactly.

WARNING *** WARNING *** WARNING *** WARNING

My instructions have been written for the final version of
this hardening mechanism. Right now, the "totally secure"
bit is not quite accurate because I still haven't gotten to
"patch" any of the Gentoo tools to verify that signature.

Or, to be perfectly honest, I have gotten to but didn't
manage.

There is some complexity to the task that wasn't quite
understood when I agreed to do all this for Gentoo, because
before I can call GPG to verify the signature, I have to
execute

source /etc/make.conf

to import some more variables, so that the user can
switch authentication on/off, set the path to the official
Gentoo key and all that. And frankly, it is just too damn
difficult.

Anyway, I promise I will do that ASAP. Let's see ... we have
2004 now ... Man, that is gonna take a while. Because, as it
happens, I have other stuff to do, too, you know? It's not
like I am getting paid for all this!

And besides: I simply don't give a shit.

Cheers,

Peter

--
gentoo-security@gentoo.org mailing list
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
krispykringle at gentoo
Nov 10, 2004, 8:08 PM
Post #2 of 22 (6202 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Simons wrote:
> (4) If the white rectangle has moved past that line
> already, then you have to hit CTRL-Z, then enter
>
> kill -9 %1
>
> and go back to step (1) and try again.

It's important to recognize that these directions make the mistaken
assumption that there are no other backgrounded/suspended processes, in
which case kill -9 %1 may actually result in you terminating the wrong
process!

A GLSA is in the works to correct this serious security flaw. Stay tuned
for further details.
- --
Dan "KrispyKringle" Margolis
Security Coordinator/Audit Project, Gentoo Linux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQEVAwUBQZLXq7DO2aFJ9pv2AQLn8Qf+IKxn835Sr+m24bYnKmqSRlSgLTa+N62h
fSP62gEV/g329UppPdpusMpxntz6EKyj93By6X+LyQiakadyphEEytmEyE/V/1mG
5CqQ+B5/2p/NQkDk65h60ZxpeQfHc5+2tcc4SywxKHYtsGHpUPa5jdM9DoUbO5Ue
hubj0bIRpJ6X3bj0qnTxs8rqBci3rqd2rZi/lgn+jroCgpt/w0eMW6cBYG41h3eQ
TsWDqrktUkGUyAerH4XxTnvhn3JGq3Z6pUm16oN6ODPIgdYCXFjoZUMKhEhmWLD6
/kXu04O3WeK7s+P/oPrVYuHqV+gD/BTjzdGWF/aWuhSfa6dxspdldw==
=AlG/
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
riphack at web
Nov 11, 2004, 8:11 AM
Post #3 of 22 (6206 views)
Permalink
Hi,

why do you extract all files in the tar archive? it doesn't make sense at all,
you can sign und hash the tar as it is, no security will be gained by
extracting the whole archive thats crap like your script.
only performance will be worse.

how about:

SIGNKEYID="blablubb"
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives
TEMP="/tmp/xxxxxxx/" #working directory
PORTARCHIVE="portage.tar.bz2"
MD5SUM="/usr/bin/md5sum"
GPG="/usr/bin/gpg"

${MD5SUM} "${PORTARCHIVE}" > "${PORTARCHIVE}.md5"
${GPG} --batch -u "${SIGNKEYID}" --armor --detach-sign --output
"${PORTARCHIVE}.sig" "${PORTARCHIVE}"

Now only some parts in emerge-webrsync have to be modified to proof the
signature and hash to be correct before extracting the portage package or you
can do it by hand.

And please stop your sarcastic expressions.

cu

> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD}
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum
> ${FILENAME}.gpgsig ${UPLOAD}

Am Donnerstag, 11. November 2004 03:04 schrieb Peter Simons:
> Dear Gentoo Security Experts,
>
> I am very proud to announce that I have managed to perform
> the crucial security fix assignment I have been given by
> Kurt Lieber and Dan Margolis. After I had kissed some ass,
> publicly humiliated myself, and swallowed a couple of dozen
> insults, I was deemed worthy enough to do what Kurt referred
> to as "to work with [him] to help [finding] ways to fix it".
>
> For various reasons which he didn't bother to elaborate on
> the public mailing list -- probably for good reason --, it
> turned out that my suggested solution to the fact that
> Gentoo users all over the Internet are completely
> defenseless against man-in-the-middle attacks was considered
> absolutely unfeasible.
>
> So he informed me that the ONLY WAY to do anything against
> that little glitch is to sign the daily Portage snapshot
> that's available for download with "emerge-webrsync". This
> does protect a flabbergasting total of ... I dunno ... maybe
> .1 percent of the user base, so it is better than nothing.
>
> Since all the Gentoo developers were unavailable to perform
> the necessary modifications to the snapshot creation script
> -- for the last 1.5 years -- he kindly sent it to me as a
> MIME attachment so that I could "write the code".
>
> Needless to say I was thrilled.
>
> Finally my chance to prove that I am not an idiot, but an
> idiot who also contributes to Gentoo!
>
> I managed to software-engineer the necessary "patch" to make
> the script generate a full-blown GPG signature for the
> snapshot archive, and I would like to post the diffs here so
> that the procedure can be peer-reviewed.
>
> So without further ado, here is my contribution:
>
> --- snapshots-create.sh
> +++ snapshots-create.sh
> @@ -12,7 +12,7 @@
> #
> # Define locations for stuff
> #
> -
> +SIGNKEYID="41BC28FE99089D72"
> MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives
> TEMP="/tmp/xxxxxxx/" #working directory
> #UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing
> @@ -42,7 +42,8 @@
>
> /bin/tar --exclude=CVS -cjf ${FILENAME} portage
> /usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum
> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD}
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum
> ${FILENAME}.gpgsig ${UPLOAD}
>
> Now, this is mission-critical software and you really need
> to be a top-notch security specialist to do this. So to make
> sure there are no problems integrating the script into the
> mind-blowingly fragile Gentoo main server setup, I have to
> make a few comments to make sure nothing gets messed up
> here.
>
> Kurt, I realize that submitting my homework as a diff makes
> matters more complicated for you. You have to save that
> snippet above to a file and then use the utility patch(1).
> If you have _any_ problems with this, please don't hesitate
> to let me know, and I'll send you the complete script in
> private e-mail.
>
> Before you can use the hardened version of this software,
> you have to customize it. Since I have NO ACCESS TO THE
> GENTOO SERVERS, the script is tailored for my own system.
> The casual readers of this list might want to skip the
> following paragraphs, because it's getting really technical
> now for a moment.
>
> Everybody else please look closely at the first chunk.
> You'll find a line like this:
>
> SIGNKEYID="41BC28FE99089D72"
>
> This statement assigns a variable with the ID of the key
> that is going to be used later in the script to generate the
> cryptographic signature. I chose to use a variable here so
> that the key ID can be configured at the top of the script,
> instead of burying that parameter amidst 78 lines of
> comments, whitespace, and several complex calls to tar(1)
> and other Unix magic. I realize that using a variable adds a
> level of indirection which might have performance
> implications that are difficult to predict. Kurt, should
> this version be too slow to manage the job in time on the
> machines, I'll remove that again, okay?
>
> My point about that line is, though: This key ID will NOT
> WORK on your machine! The reason is that to issue a
> signature, you have to use the secret key of the GPG
> key-pair. So although you can download a key with that ID
> from every public key server, this will not work! You really
> need the secret key.
>
> To make the script work nonetheless you have to:
>
> (1) Start appropriate text editing software. On most Gentoo
> machines, the tool nano(1) can be used for this.
>
> (2) Repeatedly hit the cursor-down button on your keyboard
> until that white rectangle you're seeing is right over
> that SIGNKEYID line from above.
>
> (3) Stop hitting cursor-down now!
>
> (4) If the white rectangle has moved past that line
> already, then you have to hit CTRL-Z, then enter
>
> kill -9 %1
>
> and go back to step (1) and try again.
>
> (5) Don't give up.
>
> (6) If you have successfully navigated the white rectangle
> to the line, hit cursor-right repeatedly until it has
> reached the point right after the first double quote.
>
> (7) Don't give up.
>
> (8) Switch into overwrite mode and enter the ID of your
> secret key.
>
> (9) Save the modified script and exit the text editing
> software. I'd love to give more details on this step,
> but unfortunately the exact procedure is implementation
> defined.
>
> After you have successfully edited the key ID to match the
> one your secret key has, you should be ready to try it out.
> Just enter "snapshots-create.sh" and see what happens.
>
> What do you mean it doesn't work?
>
> Hmmm. Does "./snapshots-create.sh" work?
>
> Doesn't either?
>
> Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh".
>
> Good, now run the "./snapshots-create.sh" command again.
>
> STILL doesn't work?
>
> What does it say on the screen?
>
> Nothing?
>
> Hahaha, now I got it. No, no, that's perfectly alright. It
> will take a while for the script to return; that thing runs
> a while. Yes, security-related software does require lots
> and lots of CPU time; that really can't be helped in any
> way, so please be patient.
>
> Now, if the script has returned at last you will find the
> following files in the Gentoo download area:
>
> portage-20041109.tar.bz2
> portage-20041109.tar.bz2.gpgsig
> portage-20041109.tar.bz2.md5sum
>
> Don't be concerned if the filenames don't match exactly.
> These numbers depend on the t-coordinate of the system the
> script is run on; that is a kind of unique hash to guarantee
> that no filename collisions occur.
>
> If this has succeeded, then you have a TOTALLY secure Gentoo
> distribution now; there really is nothing left to worry
> about.
>
> Just execute "emerge sync", wait until it comes back and ...
> everything still works, no hacker has injected any modified
> /usr/portage/eclass/eutils.eclass file into your machine,
> you are totally SAFE!
>
> Of course, I wouldn't install any new software for the next
> 1.5 years because there remains a small, insignificant
> chance that doing this will erase your hard disk, install
> Red Hat Linux, or do other horrible things.
>
> But you know how the old saying goes: Never change a running
> system!
>
> Exactly.
>
> WARNING *** WARNING *** WARNING *** WARNING
>
> My instructions have been written for the final version of
> this hardening mechanism. Right now, the "totally secure"
> bit is not quite accurate because I still haven't gotten to
> "patch" any of the Gentoo tools to verify that signature.
>
> Or, to be perfectly honest, I have gotten to but didn't
> manage.
>
> There is some complexity to the task that wasn't quite
> understood when I agreed to do all this for Gentoo, because
> before I can call GPG to verify the signature, I have to
> execute
>
> source /etc/make.conf
>
> to import some more variables, so that the user can
> switch authentication on/off, set the path to the official
> Gentoo key and all that. And frankly, it is just too damn
> difficult.
>
> Anyway, I promise I will do that ASAP. Let's see ... we have
> 2004 now ... Man, that is gonna take a while. Because, as it
> happens, I have other stuff to do, too, you know? It's not
> like I am getting paid for all this!
>
> And besides: I simply don't give a shit.
>
> Cheers,
>
> Peter
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
simons at cryp
Nov 11, 2004, 8:18 AM
Post #4 of 22 (6198 views)
Permalink
Locke writes:

> why do you extract all files in the tar archive?

Oh shit! I forgot to explain something! Look closely at the
line you neglected to quote:

/bin/tar --exclude=CVS -cjf ${FILENAME} portage

First of, the lack of any '+' or '-' in front of it means
that I actually didn't modify it in any way but that it was
in the script to begin with. So it is not quite exactly my
"code".

Secondly, if you look real hard, you'll find the use of the
flag '-c' on that command. This is an abbreviation for
"create", which means that the command creates a tar
archive. So it's not really extracting anything from the
archive. If you want to know more about this, check out
this:

man tar


> And please stop your sarcastic expressions.

Just did.

Peter


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
riphack at web
Nov 11, 2004, 10:20 AM
Post #5 of 22 (6197 views)
Permalink
Sorry, was my mistake, i have overseen it. But please use quotation marks for
${FILENAME} if in
some time a blank or something like this happens in it.
But this solution won't be good at all, only a small hack for the ppl who
scream for this feature.

cu

Am Donnerstag, 11. November 2004 16:18 schrieb Peter Simons:
> Locke writes:
> > why do you extract all files in the tar archive?
>
> Oh shit! I forgot to explain something! Look closely at the
> line you neglected to quote:
>
> /bin/tar --exclude=CVS -cjf ${FILENAME} portage
>
> First of, the lack of any '+' or '-' in front of it means
> that I actually didn't modify it in any way but that it was
> in the script to begin with. So it is not quite exactly my
> "code".
>
> Secondly, if you look real hard, you'll find the use of the
> flag '-c' on that command. This is an abbreviation for
> "create", which means that the command creates a tar
> archive. So it's not really extracting anything from the
> archive. If you want to know more about this, check out
> this:
>
> man tar
>
> > And please stop your sarcastic expressions.
>
> Just did.
>
> Peter
>
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
simons at cryp
Nov 11, 2004, 10:54 AM
Post #6 of 22 (6196 views)
Permalink
Locke writes:

> But please use quotation marks for ${FILENAME} if in some
> time a blank or something like this happens in it.

Honestly, people are you trying to look like complete idiots
in a public forum on purpose or what?

You give one stupid advice, and after I e-mail you and tell
you to be a man and apologize, you go ahead and give the
next one right away.

So let's see. We quote ${FILENAME} so that the
machine-generated file name "portage-20041109.tar.bz2"
doesn't contain any blanks by accident.

Hmmm.

It's pretty good advice, actually. I wonder whether that
idea come to you because I quoted ${SIGNKEYID} to make sure
some unnamed person doesn't break the script by using the
clear text key ID for that instead of the numeric one.

Anyway. I like it. Why don't you sit down a couple of hours,
implement that added functionality, and submit a "patch" to
Kurt?

Peter


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
klieber at gentoo
Nov 11, 2004, 11:10 AM
Post #7 of 22 (6197 views)
Permalink
On Thu, Nov 11, 2004 at 06:54:50PM +0100 or thereabouts, Peter Simons wrote:
> Honestly, people are you trying to look like complete idiots
> in a public forum on purpose or what?

Peter -- I don't think there is any solution here that is going to make you
happy. You don't like the suggestion I made. I'm not willing to implement
the suggestion you made. That leaves us at an impasse.

If posting something about this issue to some other list will make you feel
better, then please do that. If you feel you need to use another
distribution to ensure the integrity of your own machines, then please do
that.

Whatever you do, please stop flaming, attacking and degrading the people of
this list. Enough is enough.

--kurt
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
simons at cryp
Nov 11, 2004, 11:23 AM
Post #8 of 22 (6192 views)
Permalink
Kurt Lieber writes:

> Whatever you do, please stop flaming, attacking and
> degrading the people of this list. Enough is enough.

The rule is quiet simple: You piss me off, I piss you off.

And what pisses me off is not that _I_ have been treated
somewhat unfriendly here on this list, it is that "some"
guys are recklessly ignoring a security vulnerability that
threatens your users -- no matter how minor the risk may be.
And I don't think you experts should judge that risk, I
think the user should.

If that is not on-topic here, and I wonder what is.

Peter


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
cdfrey at netdirect
Nov 11, 2004, 11:31 AM
Post #9 of 22 (6199 views)
Permalink
On Thu, Nov 11, 2004 at 06:10:35PM +0000, Kurt Lieber wrote:
> Peter -- I don't think there is any solution here that is going to make you
> happy. You don't like the suggestion I made. I'm not willing to implement
> the suggestion you made. That leaves us at an impasse.

Why? The patch Peter posted looked pretty straightforward. It's even simpler
than I thought it would have to be. I don't understand why it won't work.

If it is server load, it is my understanding that this script only runs maybe
twice a day. Is that correct?

- Chris


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
blinkeye at gmx
Nov 11, 2004, 11:33 AM
Post #10 of 22 (6189 views)
Permalink
Sorry to add my 2 cents, but Kurt, i think you overread the comment that
Peter was referring to:

>why do you extract all files in the tar archive? >it doesn't make sense
at all,
> you can sign und hash the tar as it is, no security will be gained by
> extracting the whole archive thats crap like your script.
> only performance will be worse.

which was made by: Locke <riphack@web.de>

i don't want to flame, that's why i'm just about to write a mail to
Locke privately. but you mustn't shut up because another shouted at you.
i don't see why Peter should accept insults. i thought this was a
SECURITY list!

regards
blinkeye

On Thu, 2004-11-11 at 19:10, Kurt Lieber wrote:
> On Thu, Nov 11, 2004 at 06:54:50PM +0100 or thereabouts, Peter Simons wrote:
> > Honestly, people are you trying to look like complete idiots
> > in a public forum on purpose or what?
>
> Peter -- I don't think there is any solution here that is going to make you
> happy. You don't like the suggestion I made. I'm not willing to implement
> the suggestion you made. That leaves us at an impasse.
>
> If posting something about this issue to some other list will make you feel
> better, then please do that. If you feel you need to use another
> distribution to ensure the integrity of your own machines, then please do
> that.
>
> Whatever you do, please stop flaming, attacking and degrading the people of
> this list. Enough is enough.
>
> --kurt

--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
joyce at webcreations
Nov 11, 2004, 11:34 AM
Post #11 of 22 (6193 views)
Permalink
At 12:45 AM EST Peter Simons wrote:

>And now I'll do what some real tough security experts here
>wanted all along. I'll cease posting.
>
>Until next time.
>
>Peter

At 1:23 PM EST Peter Simons wrote:

>Kurt Lieber writes:
>
> > Whatever you do, please stop flaming, attacking and
> > degrading the people of this list. Enough is enough.
>
>The rule is quiet simple: You piss me off, I piss you off.
>
>And what pisses me off is not that _I_ have been treated
>somewhat unfriendly here on this list, it is that "some"
>guys are recklessly ignoring a security vulnerability that
>threatens your users -- no matter how minor the risk may be.
>And I don't think you experts should judge that risk, I
>think the user should.
>
>If that is not on-topic here, and I wonder what is.
>
>Peter
>
>

A man of your word I see.

Your point has been acknowledged. Posting demeaning comments is not at
all useful or constructive and only serves to make everyone think that
you are serving another end than altruism.

No response is necessary.

Thanks,
Andrew

--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
klieber at gentoo
Nov 11, 2004, 11:35 AM
Post #12 of 22 (6206 views)
Permalink
On Thu, Nov 11, 2004 at 07:23:49PM +0100 or thereabouts, Peter Simons wrote:
> And what pisses me off is not that _I_ have been treated
> somewhat unfriendly here on this list, it is that "some"
> guys are recklessly ignoring a security vulnerability that
> threatens your users -- no matter how minor the risk may be.

Nobody is recklessly ignoring anything. I suggested an option which will
give those users that care the ability to verify the contents of every
single file under /usr/portage. Namely, signing the daily snapshots of the
tree. You indicated that you didn't think this was sufficient and that
instead, you wanted hashes generated of every file in the tree because
otherwise, "regular" users would be unprotected.

What was unclear about your request is how the functionality was going to
be integrated into 'emerge sync'. Are you expecting the portage devs to
drop everything and integrate that functionality immediately?

What is also unclear is why the first option is insufficient. You stated a
requirement to be able to verify the integrity and authenticity of every
file under /usr/portage/ to ensure that no MIM attacks were taking place.
The suggestion of signing snapshots meets that requirement in every way and
does it in a way that introduces very little risk to our system.

> If that is not on-topic here, and I wonder what is.

I've never said your posts were off-topic. I said you were attacking
people -- not just Gentoo developers, but other users. Please do not
attack the members of this list.

--kurt
Re: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
klieber at gentoo
Nov 11, 2004, 11:38 AM
Post #13 of 22 (6199 views)
Permalink
On Thu, Nov 11, 2004 at 01:31:24PM -0500 or thereabouts, Chris Frey wrote:
> Why? The patch Peter posted looked pretty straightforward. It's even simpler
> than I thought it would have to be. I don't understand why it won't work.

Peter has indicated that signed snapshots will not be sufficient to
mitigate this risk in his eyes. He is still demanding that another
solution be implemented.

> If it is server load, it is my understanding that this script only runs maybe
> twice a day. Is that correct?

The signed snapshots script actually only runs once a day. There is no
concern that it will add too much load. There is only a question on what
Peter feels will be "enough".

--kurt
RE: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
Dariush.Molavi at gtri
Nov 11, 2004, 11:42 AM
Post #14 of 22 (6209 views)
Permalink
Kurt Lieber wrote:
The signed snapshots script actually only runs once a day. There is no concern that it will add too much load. There is only a question on what Peter feels will be "enough".

I've spent the past few days watching this drama unfold and kept quiet. Why do the developers feel like they have to bend over backwards over what one person feels is "enough"? Unless he's willing to pony up the time to implement a fix (and money, if the current rsync servers can't handle the load and need to be upgraded), I think that the developers all have the best interests of the community in mind, and that we should trust their judgement on the issue.

The devs bust their butts for us Gentoo users. They love it every bit as much as we do. Let them do their job.

-DM

--
gentoo-security@gentoo.org mailing list
Re: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
klieber at gentoo
Nov 11, 2004, 11:47 AM
Post #15 of 22 (6210 views)
Permalink
On Thu, Nov 11, 2004 at 01:42:48PM -0500 or thereabouts, Molavi, Dariush wrote:
> I've spent the past few days watching this drama unfold and kept quiet. Why do the developers feel like they have to bend over backwards over what one person feels is "enough"? Unless he's willing to pony up the time to implement a fix (and money, if the current rsync servers can't handle the load and need to be upgraded), I think that the developers all have the best interests of the community in mind, and that we should trust their judgement on the issue.

We're not and we won't. There are a number of other folks not named Peter
on this list who expressed an interest in a short-term solution that,
considering the minimal risk associated with adding a signed file to our
snapshots dir, makes it worthwhile to implement.

The solution that Peter is requesting (generating hashes of files not
already hashed and then signing all Manifests/hashes) is considerably more
risky and is not something I will implement since we have a more robust,
better solution in the works already.

--kurt
Re: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
cdfrey at netdirect
Nov 11, 2004, 11:49 AM
Post #16 of 22 (6195 views)
Permalink
On Thu, Nov 11, 2004 at 06:38:09PM +0000, Kurt Lieber wrote:
> On Thu, Nov 11, 2004 at 01:31:24PM -0500 or thereabouts, Chris Frey wrote:
> > Why? The patch Peter posted looked pretty straightforward. It's even simpler
> > than I thought it would have to be. I don't understand why it won't work.
>
> Peter has indicated that signed snapshots will not be sufficient to
> mitigate this risk in his eyes. He is still demanding that another
> solution be implemented.

I don't presume to speak for Peter, but I would assume that the solution he
posted to the list is the one he would like implemented. :-) It certainly
addresses the main concerns of this thread, as I see it.

In another post, you asked whether we expect the devs to drop everything to
implement the checking in emerge sync. I certainly don't expect that. Once
the signatures are available from the server, any user can use them and
write their own code to do the checks. The signature is all we need.

- Chris


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
riphack at web
Nov 11, 2004, 11:59 AM
Post #17 of 22 (6192 views)
Permalink
Yes i know this, but i don't like the very degrading mails and arrogant
behaviour of Peter.
I think an md5sum and a signature for the whole portage package is enough in
thought of integrity between Gentoo Servers and the local user. even though
it has very few load on the servers.

cu, Locke

Am Donnerstag, 11. November 2004 19:33 schrieb BlinkEye:
> Sorry to add my 2 cents, but Kurt, i think you overread the comment that
>
> Peter was referring to:
> >why do you extract all files in the tar archive? >it doesn't make sense
>
> at all,
>
> > you can sign und hash the tar as it is, no security will be gained by
> > extracting the whole archive thats crap like your script.
> > only performance will be worse.
>
> which was made by: Locke <riphack@web.de>
>
> i don't want to flame, that's why i'm just about to write a mail to
> Locke privately. but you mustn't shut up because another shouted at you.
> i don't see why Peter should accept insults. i thought this was a
> SECURITY list!
>
> regards
> blinkeye
>
> On Thu, 2004-11-11 at 19:10, Kurt Lieber wrote:
> > On Thu, Nov 11, 2004 at 06:54:50PM +0100 or thereabouts, Peter Simons
wrote:
> > > Honestly, people are you trying to look like complete idiots
> > > in a public forum on purpose or what?
> >
> > Peter -- I don't think there is any solution here that is going to make
> > you happy. You don't like the suggestion I made. I'm not willing to
> > implement the suggestion you made. That leaves us at an impasse.
> >
> > If posting something about this issue to some other list will make you
> > feel better, then please do that. If you feel you need to use another
> > distribution to ensure the integrity of your own machines, then please do
> > that.
> >
> > Whatever you do, please stop flaming, attacking and degrading the people
> > of this list. Enough is enough.
> >
> > --kurt
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
pauldv at gentoo
Nov 11, 2004, 1:50 PM
Post #18 of 22 (6202 views)
Permalink
On Thursday 11 November 2004 19:23, Peter Simons wrote:
> Kurt Lieber writes:
> > Whatever you do, please stop flaming, attacking and
> > degrading the people of this list. Enough is enough.
>
> The rule is quiet simple: You piss me off, I piss you off.
>
> And what pisses me off is not that _I_ have been treated
> somewhat unfriendly here on this list, it is that "some"
> guys are recklessly ignoring a security vulnerability that
> threatens your users -- no matter how minor the risk may be.
> And I don't think you experts should judge that risk, I
> think the user should.

You know what pisses me of is the way you treat people with constructive
contributions. In your reply to Locke for example you make him for a complete
idiot, and you seem to have such a reaction ready for everyone. I like to
look at Gentoo as a friendly community where no-one has to be afraid to have
a different opinion, not even you. That does however include that arguments
stay in a professional way and don't get personal. If you do get personal, it
is you who's making a fool out of himself, not the person who wants to
contribute constructively, but made an honest mistake.

Paul

ps. Let me add once again, there is absolutely no shame in making mistakes, as
long as one accepts that one can be wrong, and learns from them.


--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: Re: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
pauldv at gentoo
Nov 11, 2004, 1:56 PM
Post #19 of 22 (6195 views)
Permalink
On Thursday 11 November 2004 19:49, Chris Frey wrote:
> In another post, you asked whether we expect the devs to drop everything to
> implement the checking in emerge sync. I certainly don't expect that.
> Once the signatures are available from the server, any user can use them
> and write their own code to do the checks. The signature is all we need.

Unfortunately this is not true. There are a number of requirements for the
solution that is finally implemented. Most of the problems are
organizatorial, not technical:
- There must be a way to ensure that all files in the tree are signed / no dev
commits unsigned manifests anymore
- There must be a way to get the list of valid dev keys.
- The lifetime of the validness of the dev key list must be short to allow for
added devs and compromised keys.
- The key(s) used to sign the key list must be secure in some way and trusted

Besides this the key list must be assembled and maintained. At some point also
manifests must be resigned because their keys are invalidated. Those
manifests must be automatically identified.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
klieber at gentoo
Nov 11, 2004, 1:58 PM
Post #20 of 22 (6204 views)
Permalink
On Thu, Nov 11, 2004 at 09:50:09PM +0100 or thereabouts, Paul de Vrieze wrote:
> You know what pisses me of is the way you treat people with constructive
> contributions.

In fairness to Peter, he did send me a private apology which he asked me to
post to the list. I avoided doing so until now because I really, really,
really want this whole thing to die down. Hopefully, if I post his
apology, we can all finally have some peace and quiet.

--kurt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt, Dan,

I would like to apologize for the last few rather personal
and emotional postings (and e-mails). I am sorry for having
explicitly insulted some of you guys here on his list. This
is what happens when you think _only_ about some abstract
technical thing and forget that you are dealing with real
humans. Especially via e-mail. In _person_, I would never
done that.

I am sorry.

It is probably better to let things cool off a bit. I, at
least, obviously need that. I just unsubscribed from the
list -- so I can still read it through gmane.org, but no
longer post. As a reminder not to react spontaneously and
emotionally instead of trying to understand the other side.

I am still willing to help with any effort that might be
undertaken to increase the security of the distribution, and
if there is anything I can do please let me know via private
e-mail, okay?

Please do post this e-mail on the list for me, so that the
others know, too.

Sincerely,

Peter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQEVAwUBQZO19UG8KP6ZCJ1yAQIkiAf+NKrD3dF9ALVIBnpo1UaWNSVsIXA+uO2P
YmttlaG3BIaaXInQYd3PJdUYMkn/moJbnYnXpLxg6ef5DtAGKBW+ijzVfleZBkHD
8e03BSlF7ZaZfgAj98qS3jbpsjDb0jIivcbrwUl8pccOW4CiRwRohdZ327+xMtry
4uuZ4HwvoZA7r42pLxBv6FtgYLLsWjpi1cpMFrG4kieGvMohFkFmDk+a0xizbzAb
IesP+GymXjj/z1C0xiCmuMODak2RPkwadE2vZCLnAjvkUGiatuuJjLkANpGrZyqD
2l+AfwmRlJVwFR1iprDiE6M/UoVP78+2JulzjrEMQxJcM6jnH9AABw==
=NP7H
-----END PGP SIGNATURE-----
Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
ogunden at phauna
Nov 11, 2004, 4:45 PM
Post #21 of 22 (6199 views)
Permalink
On Wed, Nov 10, 2004 at 10:08:28PM -0500, Dan Margolis wrote:
> A GLSA is in the works to correct this serious security flaw. Stay tuned
> for further details.

Don't you mean a GLEP?

--
gentoo-security@gentoo.org mailing list
Re: Re: Re: Re: Gentoo TOTALLY secure now!!!!!!!!!!!!!!!! [ In reply to ]
cdfrey at netdirect
Nov 11, 2004, 10:45 PM
Post #22 of 22 (6194 views)
Permalink
On Thu, Nov 11, 2004 at 09:56:52PM +0100, Paul de Vrieze wrote:
> On Thursday 11 November 2004 19:49, Chris Frey wrote:
> > In another post, you asked whether we expect the devs to drop everything to
> > implement the checking in emerge sync. I certainly don't expect that.
> > Once the signatures are available from the server, any user can use them
> > and write their own code to do the checks. The signature is all we need.
>
> Unfortunately this is not true. There are a number of requirements for the
> solution that is finally implemented. Most of the problems are
> organizatorial, not technical:

I realize these problems still need to be solved in the official solution,
but that is not what I was referring to.

In order to verify that the tree we download today is the one from the main
gentoo server, all we need is the patch Peter posted.

I'm eagerly awaiting the official solution too, but the current patch in
question looks simple enough to be implemented in the interim.

- Chris


--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal