From owner-freebsd-stable@FreeBSD.ORG Mon Nov 17 09:30:05 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDDB616A4CE for ; Mon, 17 Nov 2003 09:30:05 -0800 (PST) Received: from smtpout.mac.com (A17-250-248-47.apple.com [17.250.248.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9249C43FDF for ; Mon, 17 Nov 2003 09:30:02 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id hAHHU2YN026655 for ; Mon, 17 Nov 2003 09:30:02 -0800 (PST) Received: from [10.1.1.193] (dpvc-68-161-244-25.ny325.east.verizon.net [68.161.244.25]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 3.0) with ESMTP id hAHHU1Zq002005 for ; Mon, 17 Nov 2003 09:30:01 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v606) In-Reply-To: <20031117161033.X35508@trillian.santala.org> References: <20031117140240.41031.qmail@web20710.mail.yahoo.com> <20031117161033.X35508@trillian.santala.org> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 17 Nov 2003 12:29:59 -0500 To: freebsd-stable@freebsd.org X-Mailer: Apple Mail (2.606) Subject: Re: Secure updating of OS and ports X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 17:30:06 -0000 On Nov 17, 2003, at 9:19 AM, Jarkko Santala wrote: [ ... ] > While that would work great for ports, the actual source tree could be > a > problem. If all files would have associated md5sums which would all be > checked during compilation, it might make the whole process unbearably > slow on slow machines. Although then there might be a switch to disable > the checking to increase speed at the cost of security. Using md5 checksums on distfiles has proven useful in the case where a source tarball has been trojaned. But a tarball is a self-contained entity which can be verified as a whole-- you don't have to verify each file within that archive if you trust the message digest algorithm being used. And if you trust the people who created the original tarball, of course. > Also there's the problem of locating the entity that would check all > the > source code both in src and ports before signing. Of course the ports > could be signed by maintainers using a method provided by the FreeBSD > project, such as a key associated with a certificate. To some extent, using RSA or DSA keypairs in conjunction with CVS over SSH would give you about what you are looking for, and they are used when committers make changes to the FreeBSD CVS repository. Normally, people who checkout the FreeBSD sources via CVS or CVSUP are doing so anonymously and without encryption, but it would be possible to do a 'cvs checkout' or 'cvs update' via SSH instead. > Considerable amounts of work into a full-out PKI infrastructure could > of > course also be a problem. All this de facto PGP/GPG stuff just makes my > head hurt. RFC-3280 isn't aspirin, unfortunately. :-) Using X.509 certs rather than PGP/GPG would change the model of trust and perhaps make it a little easier for end-users to verify signed content, but that is mostly because end-users are given pre-trusted root certificates that SSL certs derive from. -- -Chuck