Jean Marine Posted August 30, 2016 Share Posted August 30, 2016 *editing because i didn't see the documentation* Proper security practices should result in the page that tells you what key to download being https, instead of http where anyone could theoretically easily modify the key ID and thus your download would appear to verify fine. Its 2016 guys, pretty much any server cpu comes with crypt acceleration it isn't that resource intensive. Link to comment Share on other sites More sharing options...
Igor Posted September 13, 2016 Share Posted September 13, 2016 When project started, nobody cared about such thing ... and when it started expanding, issues started to mounting up. I agree with you, but this is just another demand / plead / idea from large community toward small crew. At least our images are digitally signed, so it's possible to check it's origin. Link to comment Share on other sites More sharing options...
Jean Marine Posted September 25, 2016 Author Share Posted September 25, 2016 Dude just get a free cert from letsencrypt or whatnot. It would take literally five seconds to change the provided keyfile in your webserver config files, as you already have it configured with a self signed cert. No offense but if you aren't willing to put in the slightest effort to fix this minor problem then it raises serious doubts about project security in other sectors that take more time and effort to be proper. And no it really isn't possible to check anything, how do I know somebody has not MITM'ed that page and replaced the key id with another one? Link to comment Share on other sites More sharing options...
Igor Posted September 25, 2016 Share Posted September 25, 2016 For download images it's trivial indeed and will be done asap. The rest we need to check manuals (wordpress, nginx, ispconfig, IPboard) and it's a task, with unknown time of execution at this point. BTW. My public pgp key is stored on a public keyserver. In any case, our primary objective is a build tool so if you are afraid on security -> build your own image from sources (with our tool or manually) Even this way, you need to trust that sources are good and fully checked ... Link to comment Share on other sites More sharing options...
Jean Marine Posted September 25, 2016 Author Share Posted September 25, 2016 I greatly enjoy your prompt replies Thank you. Yes it is on a public server but again as I have said, how do I know somebody hasn't created a key with identical seeming info (your name email etc) and MITM'ed the page that gives me the key ID to download? There is no web of trust and if the page that gives me the key ID is http then it is a catch-22 problem unless there is some other way to verify that?... Also: + Will you be doing easy-reproducible builds? + Does the build process only fetch verified sources from other projects? (even xen still uses http wget lol) + Do you have a reasonable level of build process security and dev computer security? (ie, a qubes type security model for all your devs) These are the kind of questions we must ask ourselves, as random linux projects are starting to be used in important areas (industrial controls, public facing ad signs etc) it isn't just a hobbyist thing anymore: there are a lot of idiots out there who think that say for instance hooking up a power plant to the internet is a good idea D: Link to comment Share on other sites More sharing options...
wildcat_paris Posted September 25, 2016 Share Posted September 25, 2016 the nice thing with the Armbian tool is "this is all scripted" so you can trace anything you want while you build your own image. So you can check yourself with your security team, if it is accurate for you. Then if something is not right for you, you can fork the project and fix it as you need (making the whole community benefits from your changes if needed) 1 Link to comment Share on other sites More sharing options...
Igor Posted September 26, 2016 Share Posted September 26, 2016 ill you be doing easy-reproducible builds? Builds can be reproducible but they might not be exactly since we are attached to external source projects and we are fixing things daily. Does the build process only fetch verified sources from other projects? (even xen still uses http wget lol) Sources are more or less trusted (mainline kernel and uboot, legacy sources maintained by vendors, some community, some mixed, ...). They are git cloned with https, so nothing gets in between. Do you have a reasonable level of build process security and dev computer security? (ie, a qubes type security model for all your devs) Each developer has it's own environment and our common end result is public on Github. Code is review upon commits so I would say yes. Official build is (so far) always done by me on a dedicated hardware, accessible locally and output is securely transferred to download server which will get ssl when admin of the server gets up and finds time. Armbian project is still a small one no matter of importance. Our core team resources and budget are tiny, on a hobby level, so even some things are possible, we might not be able to afford them. But we take security seriously and possible problems will be fixed ASAP ... just this ASAP will take longer Sometimes is hard to see even most obvious things so I only thank you for bringing ideas up. I certainly don't want that our work becomes involved in something like this 3 Link to comment Share on other sites More sharing options...
Recommended Posts