From eugen@leitl.org Sun Sep 8 13:09:09 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Surveillance Date: Sun, 08 Sep 2013 19:09:06 +0200 Message-ID: <20130908170906.GL29404@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3172278534192065797==" --===============3172278534192065797== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Anyone with CA/package signing opsec clue willing to help Linux distros with advice to improve package signing security? ----- Forwarded message from Greg KH ----- Date: Sun, 8 Sep 2013 09:58:23 -0700 From: Greg KH To: linux-elitists(a)zgp.org Subject: Re: [linux-elitists] Surveillance User-Agent: Mutt/1.5.21 (2010-09-15) On Sun, Sep 08, 2013 at 06:43:09PM +0200, Eugen Leitl wrote: > On Sun, Sep 08, 2013 at 09:08:24AM -0700, Greg KH wrote: >=20 > > > Real physical security and a process to keep signing secrets > > > secure in community based Linux and *BSD distributions. > >=20 > > What are the problems in the existing processes that you feel are week? > > For example, what is wrong with openSUSE's signing process that you feel > > are wrong? >=20 > I'm only aware of how Debian does things, and not in any detail. Then don't assume that all distros have this type of problem please. > What I would do is to separate the signing secrets across multiple > key people, and do a recorded/witnessed ceremony following a CA-like > model, signing on an air-gapped machine which is securely > wiped afterwards and transferring packages via sneakernet > (making sure there's nothing autoexecuted on plugin) > to the machine where it is being published. Yes, this is a huge > pain. And it makes automated builds an almost impossible thing to achive, so it's not realistic. > So have a secure process in place, monitor the process by=20 > external parties so that we can be sure that it is actually being > done the way it is said to be done. Trust, but verify. Agreed, and I think that other distros already do this, Debian might be the exception :( > > > Review of anything crypto based. Completely different process > > > for anything crypto based than for everything else. No more=20 > > > undetected regression meltdowns a la Debian. > >=20 > > What type of review? What type of process would catch stuff like that? >=20 > Getting in the professionals. A lot of old cryptography and > cypherpunk hands have reappeared and the woodwork is buzzing > with activity. They have clue and they're willing to help. Projects almost always gladly accept patches and review, what's stopping anyone from doing this today? I know of a handful of people who started doing this for the Linux kernel a few years ago and instantly got job offers to continue doing this full-time. Some of them accepted and have been working very well on fixing a huge range of issues. Some decided to stay where they were and continue to churn out great tools that let us fix these issues (academia is a good place for stuff like this.) Those tools work on all projects if they wish to be used, it's only a matter of the developers using them. > Somebody should first get them talking, and then organize a > physical meeting. If I knew any distro guys I would try to > hook them up. Have them go to FOSDEM, where all the distros have a multi-day track to work on issues that encompass them all. greg k-h _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for= maximum one recipient. linux-elitists mailing list linux-elitists(a)zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============3172278534192065797== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJBZ0FHQlFKU0xLOHlBQW9KRVBSdU5JbXNpVTdGcm9FUC9qd1V3Zm9r b1MxdXdTVDdBb3gya1phawpacm12UFVCU0ZSc1dERER1MGlVVm5ZSXM3QnBzdHRaRktDbjM4am1J NnZZcUF6MUl6d2xCb0RyNVQ2c3cwc3Y2CkwraXd4S05tSVB4cTRXcUtHeXZkeEozSllvRnFZWjcv N2psMFhEQXRzeFh3REpwWjRwcytBOWROazlFT2lCSkEKVVo4MWtzUW95TlF3L0c4QVNmZG5URDkx RzdCNzhhbVFoQ2ZYdDMrR2VDZ3cvdXg1K00vZkEvRitadnVwWHJiQQp1RVN2K2pubUYrMDdIdkdQ NjZMSjQ3RERWMzVYRGlvM1RUSkxkRmZpTkpLOEk5cUZrMXduZ2drU3FKNjFZRnBUCkhCQTI3bjVB a0RHL0g0TXk3K1pLTjRvS3phQUJBS3ZWS0VMbE5VaTJRZmxNbjdyRWlFMGp4ZTFrR1RBSzdxVzgK SjNhdUo1bVlOemFuWG5xQWlzYTVMUFhMKytzSGFseC9aOG5vVG1FNDU2TUV6dzRmNFV2U05OcXhP L3FuR3pIagpzRENYN0l2MGMyUXVxUlNtZTNCK2xMOFQ5cHlGbW0wMlU0UElscjdlYTVDLythei9D ZlZNbHZwTW83TmJlejc5CnVSK3lKTk1DMDVhZHI4QnlWMTVLbFhQMlZQR1poREpwUzJyOGVBbXdU UklIbjZQbGhxc3p1YktKWXlzVnpmQ0IKM3JURGI4ZWJwRk5BNGZRMjZnRU51U0ZXc096S3pGa011 bDlkMEVqSGFlWjVRNXRXNWVQV3F3ZitwRGhRRW9DdQo0TjJhQkN1V2NKT2VSS2s4RlN2Q3IzazF6 OGlvM2JMbkRVQ1N3NWtnMTZMT3V0SVhCWG9JVlRIaDliem5kUm5sCmdYbGtGRndRVUw2MVJqM3B1 SXRYCj0wVElLCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3172278534192065797==--