killasmurf86 said:
A reason why all source code archives should be gnupg signed.
IMHO you are wrong.
PGP(gpg) crypto algorithm itself is strong enough, but a model of trust to a public key itself is practically around zero.
Check for example public key of <security-officer@FreeBSD.org>.
The key is untrusted since nobody confirm it that is really belong to <security-officer@FreeBSD.org>.
Check latest advisories for example
Code:
# fetch http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc]
[code]
gpg: Good signature from "FreeBSD Security Officer <security-officer@FreeBSD.org>"
gpg: WARNING: [b]This key is not certified with a trusted signature![/b]
gpg: [b]There is no indication that the signature belongs to the owner.[/b]
Primary key fingerprint: C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C DFB2
killasmurf86 said:
Ye, I'm just saying, why things like GnuPG should be popularised
It is IMHO useless since public keys is non trusted and not verifiable. Anyone can submit a fake public key to pgp key-server that will represent another person.
The only way to confirm PGP(GPG) public keys - via unknown volunteers from web-of-trust that is also questionable because one can submit a bunch of public keys and sign own keys against each other that will create ala trusted key since at list 3 other keys confirm it.
PGP doesn't have tree form of trust model where each new member must be verified by root members before publishing new keys on a public servers.
anomie said:
Presuming the public key is distributed safely (e.g. key server), then of course this is the correct approach.
I'm not sure that is the correct approach.
Go to the
http://http-keys.gnupg.net/ or any other pgp key servers and search for <security-officer@FreeBSD.org>
Do you see there fresh key 5180E90F ? The only difference between FreeBSD key and another one is a message "(test-don't trust this key)" in main field to whom key is belong.
I just "safely" submitted it. Am I a new member of "Security Officer Team" now?
Of course not, because that key should match also with
http://www.freebsd.org/doc/handbook/pgpkeys.html (I afraid a few people know that they exist on the freebsd web site anyway.)
And what about if one hack FreeBSD's HTTP server and replace those keys shown above?
What about if one hack repository and resign with own key some codebase?
CVS doesn't support hashing of objects and integrity checking as it done by git for example, so it would be possible to change some codebase in a few important projects.
Some thought about CVS
http://blogs.sans.org/appsecstreetf...series-rank-20-download-code-integrity-check/
Since FreeBSD use repositories CVS and SVN that are by its nature are centralized to compare with DCVS - all software could be broken in one place.
This topic itself show that no one can be 100% sure that servers can't be broken by hackers and public keys wouldn't be be replaced.
Did you heard also that a few days ago was hacked Savannah project that host a lot of free software which also used by FreeBSD project too?
http://packetstormsecurity.org/news/view/18237/GNU-Savannah-Hacked.html
As you can see PGP sign can't protect project(s) because of non trustful model of PGP mechanism on signing of public keys over common PGP key-servers.
It will be really great if budget of donations to FreeBSD will assume to spend a few hundred bucks out of thousands donated money per year to get signed by trusted third party certificate authority(Verisign, Equifax, StartCom...) SSL certificate.
By the way, StartCom running by a really nice guy who comes from OSS community and I think he can make a discount to such project as FreeBSD.
SSL certificate itself IMHO should be preferably at least of class 2 certificate with extended validation since simple certificates it's just verification by email and assumption that payer is an original owner of credit card that is not obvious as you know.
Extended validation is much more trustful since it's involve verification of official documents that confirm ownership of key holder.
By using S/MIME(SSL) instead of untrusted PGP(gpg) that would be practically impossible to make some changes on servers because public SSL key is signed by trusted third party certificate authority and any downloads then can be verified against CA automatically.
For now until PGP signs is in use we just hope that FreeBSD sites is not hacked in current moment when we download security advisories for example.
Using X.509 could resolve at least an issue in case of successful attack to FreeBSD sites, but couldn't resolve this problem with ports.
Actually it can be solved too if freebsd will get signed X.509 certificate itself and will host non redistributable PGP key-server that will hold only commuters and approvers public keys which would be under protection of trusted freebsd server in this case.
The model of trust to PGP keys of contributors can be implemented as a tree model,- root member sign chiefs of approval departments after personal verification, then chiefs of departments sign public keys of members of their department and so on could be created trusted tree.
All chain of PGP public keys of approvers can be signed by root member who is hold verified SSL certificate.
In this case simple script can verify tree of approver's public keys automatically and only after that verify public key of maintainers that should be signed by approver of particular port.
Only this model can be trustful, otherwise PGP signs is IMHO useless.
Somewhere I saw it - "Sure I'm paranoid, but am I paranoid _E_N_O_U_G_H_?"
Savannah's and ProFTP's issues show us that IMHO we need to mind folk's wisdom: "Smart people learn to the mistakes of others, ordinary people learn to their own mistakes and only fools never learn to nothing."