[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-26 8:51:29
Message-ID: 4BFCE111.4060107 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 03:49 AM, Scott Kitterman wrote:
>> Instead of having just one private key, it would be much better for
>> every commiter/release-manager or whoever is responsible for building
>> the stable tarballs, to generate their own private key and use it for
>> signing. Then, there should be one "master signing key" that would be
>> kept on some safe machine (perhaps used just for the purpose of
>> generating and using this key) and which would be used to sign all the
>> "authorized" developers keys. This key (the public portion) would be
>> published on kde.org website, and you can also send it to kde-devel
>> list, to make it possible for people to obtain it from 2 different
>> sources (I guess kde-devel is widely mirrored over internet, so it would
>> not be feasible for the attacker to subvert this public key in all the
>> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm
>> sorry I don't know the management structure of the project) should have
>> access to the master signing key.
>>
> Speaking as an Ubuntu packager, we maintain in transit assurance of
> package integrity by retrieving the tarballs via sftp. If someone
> can MITM my SSH session, then there's a lot better things they can
> do with it than modify KDE tarballs in transit.
>
That's certainly better than relaying on the SHA1 hash embedded on the
plaintext HTML page. But still doesn't help if somebody compromised the
KDE's ftp server. You might comfort yourself that this is unlikely to
happen, but the reality is simply different, e.g. [1]:
"In connection with the incident, the intruder was able to get a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5
(x86_64 architecture only) signed"
This is BTW also a good example why it's a bad idea to have a
centralized signing server/key, and it's much better to let lead
developers to sing the tarballes by themsevles as I explained above.
Anyway, can someone from @kde.org address tell me the sftp's RSA
fingerprint? :)
joanna.
[1] http://www.redhat.com/security/data/openssh-blacklist.html
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic