[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From: Andrea Zwirner <andrea () zwir ! net>
Date: 2016-11-14 9:16:07
Message-ID: aed9958d-6316-0692-6165-7c87e1b9a5ed () zwir ! net
[Download RAW message or body]
Johanna,
for your wall of shame, you can also look for projects that installs
with a pipe on a wgetted-over-http shell script. :-)
e.g.
wget http://some-site.ext/download/software/INSTALL.sh | /bin/sh -
In my experience I've found more than one, but at the moment I can't
recognise any..
Andrea
Il 11/11/2016 16:03, Joanna Rutkowska ha scritto:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Fri, Nov 11, 2016 at 03:40:18PM +0100, Joanna Rutkowska wrote:
>> Hi, I've recently created this simple repo:
>>
>> https://github.com/rootkovska/codehash.db
>>
>> ... which is an attempt to somehow addresses a problem of software and firmware
>> "verifiability" (the word is somehow loaded, hence in quotation marks).
>>
>> I imagine that once more and more vendors, such as e.g. Tails or Subgraph, or
>> secure messenger app devs, or various firmware projects (coreboot, Trezor,
>> OpenWRT, etc) agreed to stick to this format, we could expect each of them to
>> submit hashes + signatures with each new release of their software. These
>> hashes would then be subsequently verified and submitted by other witnesses.
>> Each person or organization will be free to host a repo similar to the one
>> above, only with the "proofs" from the select witness they consider somehow
>> trusted or meaningful.
>>
>> Any comments welcome!
>>
>
> I forgot to mention, that I also plan to add a directory named: hall_of_shame/
> to the repo, which should list all the projects that do really silly things. The
> prime example being projects that automatically do, e.g.:
>
> wget http://some.url.org/some/file.tgz
>
> ... and subsequently continue to unpack it and run make from it. WITHOUT
> checking the hash or digital signature FIRST! And it's a little consolation if
> the URL starts with an https:// or if 'git clone' is used instead -- in any case
> we DO NOT want to trust the infrastructure and their admins, we only want to
> trust hashes or digital signatures.
>
> There are surprisingly large number of projects that do the above. Such projects
> can never be made trustworthy.
>
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCAAGBQJYJd2jAAoJEDOT2L8N3GcY3bUP/iU2nYR5Fz2NlCyFkW84ep2i
> xtTjg//btd923BngXMgQhnHMMZWW94UjPfkt5K0nGU+igEGOQ961GfUSX+fOiqUc
> m3canqVLO+tJJU7CZRw50WGGV8ao/aQOe3Q6b1PsvorbsSr4LZzvoFP/4zuEUp5L
> w5JAX2bVw5hZzbsGo+WF6LjLej1dbv4mqNSnJeKzU816o9Pap+57EDNuDtepPNl0
> fYaj4ocoR82QKSa/KHjdxkFlqp4PUJqBuvBLHAeAJVvYFroWBiMkJu9KCMUjK8P1
> OXgSbpQ+aL7iyQem8D5RiIOjono2MWmzTTDX0Onwf/TA5Pr6zRV49ws/fSHKacIm
> b4YJeArHARN99HXKmVoiaOPcBRqpYQOMSGWcjG9I1eJPoz3Iqth4seafHWS2QdE4
> Bx9GjwpKMWeceM8jaBAPcogmGY5JsATdJB2bvlbqHjHS1VqYTi4xGs/aOiBraYIy
> ReeFTbqpg/td8mCzZ9kw9ViHeOuNyM+JG3DpKgs28fPg0y2X5ac32+iEYUsQcPgW
> oTbN2aG9zLFbPJj39mUQIwqq7QbS2xTL0NICibgAx11vXfWWspR5UMrXCMeXDFp0
> EeMJXUibxDOresWSVmV5d0pl74YArnjqcMmPhGL6uYoWqCqrcdHEP4cBdGk2SkPr
> On9lFW6F6t4dwcAMkRQc
> =Jaay
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Desktops mailing list
> Desktops@secure-os.org
> https://secure-os.org/cgi-bin/mailman/listinfo/desktops
>
--
Andrea Zwirner
andrea.zwir.net
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic