Jump to content

Why is there no *real* download verification method?

Jean Marine

By Jean Marine
in Off-topic

 Share

Recommended Posts

Jean Marine

Jean Marine

Posted
Posted

*editing because i didn't see the documentation*

Proper security practices should result in the page that tells you what key to download being https, instead of http where anyone could theoretically easily modify the key ID and thus your download would appear to verify fine.

 

Its 2016 guys, pretty much any server cpu comes with crypt acceleration it isn't that resource intensive.

Igor

Igor

Posted
Posted

When project started, nobody cared about such thing ... and when it started expanding, issues started to mounting up. I agree with you, but this is just another demand / plead / idea from large community toward small crew.

 

At least our images are digitally signed, so it's possible to check it's origin.

Jean Marine

Jean Marine

Posted
  • Author
Posted

Dude just get a free cert from letsencrypt or whatnot.

It would take literally five seconds to change the provided keyfile in your webserver config files, as you already have it configured with a self signed cert.

 

No offense but if you aren't willing to put in the slightest effort to fix this minor problem then it raises serious doubts about project security in other sectors that take more time and effort to be proper.

 

 

And no it really isn't possible to check anything, how do I know somebody has not MITM'ed that page and replaced the key id with another one?

Igor

Igor

Posted
Posted

For download images it's trivial indeed and will be done asap. The rest we need to check manuals (wordpress, nginx, ispconfig, IPboard) and it's a task, with unknown time of execution at this point.

 

BTW. My public pgp key is stored on a public keyserver. In any case, our primary objective is a build tool so if you are afraid on security -> build your own image from sources (with our tool or manually) Even this way, you need to trust that sources are good and fully checked ...

Jean Marine

Jean Marine

Posted
  • Author
Posted

I greatly enjoy your prompt replies :D Thank you.

 

 

Yes it is on a public server but again as I have said, how do I know somebody hasn't created a key with identical seeming info (your name email etc) and MITM'ed the page that gives me the key ID to download?

 

 

There is no web of trust and if the page that gives me the key ID is http then it is a catch-22 problem unless there is some other way to verify that?...

 

Also:

 

+ Will you be doing easy-reproducible builds?

+ Does the build process only fetch verified sources from other projects? (even xen still uses http wget lol)

+ Do you have a reasonable level of build process security and dev computer security? (ie, a qubes type security model for all your devs)

 

These are the kind of questions we must ask ourselves, as random linux projects are starting to be used in important areas (industrial controls, public facing ad signs etc) it isn't just a hobbyist thing anymore: there are a lot of idiots out there who think that say for instance hooking up a power plant to the internet is a good idea D:

wildcat_paris

wildcat_paris

Posted
Posted

the nice thing with the Armbian tool is "this is all scripted"

 

so you can trace anything you want while you build your own image. So you can check yourself with your security team, if it is accurate for you.

 

Then if something is not right for you, you can fork the project and fix it as you need (making the whole community benefits from your changes if needed)

1
Igor

Igor

Posted
Posted
ill you be doing easy-reproducible builds? 

 

Builds can be reproducible but they might not be exactly since we are attached to external source projects and we are fixing things daily.

 

Does the build process only fetch verified sources from other projects? (even xen still uses http wget lol)

 

Sources are more or less trusted (mainline kernel and uboot, legacy sources maintained by vendors, some community, some mixed, ...). They are git cloned with https, so nothing gets in between.

 

Do you have a reasonable level of build process security and dev computer security? (ie, a qubes type security model for all your devs)

 

Each developer has it's own environment and our common end result is public on Github. Code is review upon commits so I would say yes. Official build is (so far) always done by me on a dedicated hardware, accessible locally and output is securely transferred to download server which will get ssl when admin of the server gets up and finds time.

 

Armbian project is still a small one no matter of importance. Our core team resources and budget are tiny, on a hobby level, so even some things are possible, we might not be able to afford them. But we take security seriously and possible problems will be fixed ASAP ... just this ASAP will take longer :)

 

Sometimes is hard to see even most obvious things so I only thank you for bringing ideas up. I certainly don't want that our work becomes involved in something like this :o:)

3
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines

  I accept