[linux-elitists] Surveillance
Eugen Leitl
eugen at leitl.org
Sun Sep 8 10:09:06 PDT 2013
Anyone with CA/package signing opsec clue willing to help Linux
distros with advice to improve package signing security?
----- Forwarded message from Greg KH <greg at kroah.com> -----
Date: Sun, 8 Sep 2013 09:58:23 -0700
From: Greg KH <greg at kroah.com>
To: linux-elitists at zgp.org
Subject: Re: [linux-elitists] Surveillance
User-Agent: Mutt/1.5.21 (2010-09-15)
On Sun, Sep 08, 2013 at 06:43:09PM +0200, Eugen Leitl wrote:
> On Sun, Sep 08, 2013 at 09:08:24AM -0700, Greg KH wrote:
>
> > > Real physical security and a process to keep signing secrets
> > > secure in community based Linux and *BSD distributions.
> >
> > What are the problems in the existing processes that you feel are week?
> > For example, what is wrong with openSUSE's signing process that you feel
> > are wrong?
>
> I'm only aware of how Debian does things, and not in any detail.
Then don't assume that all distros have this type of problem please.
> What I would do is to separate the signing secrets across multiple
> key people, and do a recorded/witnessed ceremony following a CA-like
> model, signing on an air-gapped machine which is securely
> wiped afterwards and transferring packages via sneakernet
> (making sure there's nothing autoexecuted on plugin)
> to the machine where it is being published. Yes, this is a huge
> pain.
And it makes automated builds an almost impossible thing to achive, so
it's not realistic.
> So have a secure process in place, monitor the process by
> external parties so that we can be sure that it is actually being
> done the way it is said to be done. Trust, but verify.
Agreed, and I think that other distros already do this, Debian might be
the exception :(
> > > Review of anything crypto based. Completely different process
> > > for anything crypto based than for everything else. No more
> > > undetected regression meltdowns a la Debian.
> >
> > What type of review? What type of process would catch stuff like that?
>
> Getting in the professionals. A lot of old cryptography and
> cypherpunk hands have reappeared and the woodwork is buzzing
> with activity. They have clue and they're willing to help.
Projects almost always gladly accept patches and review, what's stopping
anyone from doing this today? I know of a handful of people who started
doing this for the Linux kernel a few years ago and instantly got job
offers to continue doing this full-time. Some of them accepted and have
been working very well on fixing a huge range of issues. Some decided
to stay where they were and continue to churn out great tools that let
us fix these issues (academia is a good place for stuff like this.)
Those tools work on all projects if they wish to be used, it's only a
matter of the developers using them.
> Somebody should first get them talking, and then organize a
> physical meeting. If I knew any distro guys I would try to
> hook them up.
Have them go to FOSDEM, where all the distros have a multi-day track to
work on issues that encompass them all.
greg k-h
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
linux-elitists at zgp.org
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20130908/bbf65911/attachment.sig>
More information about the Testlist
mailing list