Date: Mon, 23 Jun 2014 09:16:20 +1000 From: philj@openmailbox.org To: Chris Nehren <cnehren@pobox.com> Cc: freebsd-security@freebsd.org, owner-freebsd-security@freebsd.org Subject: Re: Ports tree insecure because of IGNOREFILES+IGNORE Message-ID: <cc0ec2d86cee64a00bd87804832b9bb9@openmailbox.org> In-Reply-To: <5004359.PqOTrjIgg6@behemoth> References: <a226646bae78ce27377cdfc975c3fd46@openmailbox.org> <5004359.PqOTrjIgg6@behemoth>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-06-22 22:40, Chris Nehren wrote: > On Sunday, June 22, 2014 22:31:50 philj@openmailbox.org wrote: >> The IGNOREFILES+IGNORE mechanism allows port maintainers to >> disable checksum checks. I feel that this mechanism is a stain >> on an otherwise fantastic ports system. It reduces user >> confidence in security and makes us all sitting ducks for >> sophisticated adversaries. > > Er. There's nothing stopping a port maintainer from saying > "Sorry, the distfiles aren't fetchable from the master sites any > more, I can host a copy" and then host a malicious distfile. Or > doing any number of simpler things to cause a problem. The > Project doesn't have the resources to audit every single > distfile's code. If you're that paranoid, you're welcome to do > so yourself. Chris, You have a valid point, of course, though in this case I was assuming the port maintainers themselves are trustworthy (just in case you got the impression from my first paragraph that I was painting the port maintainers black). We've seen in the news, at least for Windows, that sophisticated adversaries with man-in-the-middle capabilities are making use of cleartext crash-dump logs, hash collisions (so far only MD5), and weaknesses in the system's update mechanism. I believe the Project does take these threats very seriously, even though superhuman auditing ability is an impractical goal. That's why freebsd-update and portsnap use keys. It's why the vast majority of distinfo files have SHA256 hashes. It's why the /usr/sbin/pkg bootstrapper got blacklisted in versions of FreeBSD that can't verify the signatures. The good news for those who are worried is that all the ports I've mentioned have been marked broken, and the IGNOREFILES+ IGNORE mechanism is now pending removal. Here's a copy of a reply from Baptiste Daroussin (bapt at FreeBSD.org) for those who aren't subscribed to freebsd-ports: ------------------------------------------------------------ All the said port has been marked as broken, the "feature" removal is pending for reviews Thanks for the heads up, I wasn't aware of this "feature" regards, Bapt ------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc0ec2d86cee64a00bd87804832b9bb9>