From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 20:00:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CB04F78D; Sat, 17 Nov 2012 20:00:12 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 601468FC18; Sat, 17 Nov 2012 20:00:12 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id 16so4790120obc.13 for ; Sat, 17 Nov 2012 12:00:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=eEZebhEa120cHs09zQV+wxTjYj+r9MyZMv6nxLZhZjo=; b=kNicltchmN65YQ4qJmaUOz6v+etBw+e0sRV2evlJFaljKUDqvpJ6H6tnV13jGzCLUG kNn63zV/HCsrJ3n0DZwiSAkySFJBJSkzi/o//VeQSczturmG2yXWE8EKhVOSqDAhegXz FJhK8FMODiVEFWwOZhfUTrfBuQwVfyCTHXC2I/0wVADAawIzOmZPjbZlftfDUxtwGGeC MK+O6ZUBpHhehAhXk6KHpTxnungYeS9VRP5fawQts1bYJU1rIy1KnRWRffTfgrCtr8rz BJLeD319zojEStRmK73prxv9w/NDHp+HOrSE99xiRVq5l+a9zDfprJKBvs2NS9sA3GOM 83Xg== MIME-Version: 1.0 Received: by 10.60.2.103 with SMTP id 7mr7104777oet.79.1353182406751; Sat, 17 Nov 2012 12:00:06 -0800 (PST) Received: by 10.76.68.39 with HTTP; Sat, 17 Nov 2012 12:00:06 -0800 (PST) Date: Sat, 17 Nov 2012 15:00:06 -0500 Message-ID: Subject: FreeBSD needs Git to ensure repo integrity [was: 2012 incident] From: grarpamp To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Sun, 18 Nov 2012 01:34:32 +0000 Cc: freebsd-hackers@freebsd.org, freebsd-hubs@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 20:00:12 -0000 http://www.freebsd.org/news/2012-compromise.html http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key This is not about this incident, but about why major opensource projects need to be using a repository that has traceable, verifiable, built-in cryptographic authentication. Any of hundreds of committer and admin accounts could be compromised with the attacker silently editing the repo. The same applies to any of those accounts going rogue. Backtrack diffing from a breach to 'see what changed' is not the ideal option. You really need to be using a strong repo so that any attack on it is null from the start. Another problem is bit rot wherever it may occur... disk, hardware, the wire, EMP and other systems. As it is now, we have no way to verify that what we get on pressed CD's, ISO's, FTP sites, torrents, etc is strongly linked back to the original repo. Signing over a hash of the ISO is *not* the same as including the strong repo hash (commit) that was used to build the release and then signing over that and the ISO. We can't know that our local repository updates match the master. ports.tar.gz has no authentication either. Nor does anything in the entire project that originates from the current SVN/CVS repo... webpages, docs, tools, source tarballs, etc. The FTP packages aren't signed, and there are weak MD5's used in various parts of the install/package tools, mirrors, etc. We can't trade hashes amongst people. It's all just a bunch of random bits that someone may or may not have signed over. And even if signed they still wouldn't be strongly linked back to the master repo. Having such a disconnect at the root of everything you do is simply not good practice these days. And these days, Git is what people and projects are moving to, and its rate of adoption and prevalence have essentially won out over all the rest in the new 'revision control 2.0 world'. And knowing Git is now more or less essential if you want to participate in a wide variety of community development, ref: github, etc. The FreeBSD project needs to be providing both itself, and its users and benefactors with verifiable assurance that its repository, and any copies and derived products, are authentic and intact. Don't argue against such a repository feature, or the cost to move, or bury your head in the sand by saying it could never happen to us... Take this as a real opportunity to lead amongst the major opensource projects like Linux, and among the BSD's (like DragonFly has), and move to Git. Once the root is fixed, you can push out secure distribution and update models from there. It all starts at the root and can't be done without it. https://www.kernel.org/pub/software/scm/git/docs/git-fsck.html Verifies the connectivity and validity of the objects in the database http://git-scm.com/about/info-assurance The data model that Git uses ensures the cryptographic integrity of every bit of your project. Every file and commit is checksummed and retrieved by its checksum when checked back out. It's impossible to get anything out of Git other than the exact bits you put in. It is also impossible to change any file, date, commit message, or any other data in a Git repository without changing the IDs of everything after it. This means that if you have a commit ID, you can be assured not only that your project is exactly the same as when it was committed, but that nothing in its history was changed. https://en.wikipedia.org/wiki/Git_(software) The Git history is stored in such a way that the id of a particular revision (a "commit" in Git terms) depends upon the complete development history leading up to that commit. Once it is published, it is not possible to change the old versions without it being noticed. The structure is similar to a hash tree, but with additional data at the nodes as well as the leaves. Some references... http://git-scm.com/ https://github.com/ http://gitweb.dragonflybsd.org/dragonfly.git https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git