(heavy-pruning same-mail subthreads) On Sun, Aug 16, 2015 at 12:06:53PM +0000, Anthony Towns wrote: > Here's how you currently setup an external repo as securely as possible: > > 1. You hear about a cool repo from somewhere, and are told to go to > https://example.org/debian/README.html for more instructions. > > 2. You read that page, and obtain a line to add to sources.list and > a key to add to apt-key. > > 3. You (maybe) look at the key to see if it's signed by someone you > know, and doesn't look shady. > > 4. You add the key and sources.list entry, and run apt to install the > packages. > > If https and example.org are secure, or if you are able to verify the > key using the web of trust, this is fine (although it requires a bit of > effort). > > If neither of those are reliable (because you've got a Lenovo laptop > so anyone can fake SSL on you or just because its an http:// url not an > https:// one; and because you don't understand gpg so don't know about > the web of trust, or because someone in the Debian keyring isn't 100% > perfect, eg), then there's a MITM attack: I capture your traffic to > example.org, replace the README, key and repo, and you're stuck. > > That's the MITM attack that's avoidable.
So, the solution is to replace key and sources.list entry in the README with "uid on extrepo.d.o": That is a user interface improvement, but just as attackable as before by the same MITM. The user interface improvement might be worth it anyhow, but selling this as huge security improvement is just wrong, which is all I am against. > With extrepos as I describe them, the steps are: > > 1. You hear about a cool repo from somewhere, and are told to just > get the example-abc123 repo. > > 2. You run "extrepo add example-abc123", and run apt to install the > packages. That should ideally still include 3. as especially with a centralized site you are susceptible to end up with bad data stored under a similar name, like you do if you trust short keyids for gpg. > > > > No it isn't fine to have e.g > > > > deb http://httpredir.debian.org/debian sid main > > > > deb http://httpredir.debian.org/debian sid main contrib > > > > If you drop the 'main' from the second (or just the complete first) line > > > > everything is fine. > > > It seems fine even with the dupe to me? With: > > > deb http://http.debian.net/debian/ testing main contrib non-free > > > deb http://http.debian.net/debian/ testing main > > > I just get: > > > W: Duplicate sources.list entry http://http.debian.net/debian/ > > > testing/main amd64 Packages > > > (/var/lib/apt/lists/http.debian.net_debian_dists_testing_main_binary-amd64_Packages) > > Sure, if you not consider warnings from your package manager a problem, > > then yes, this is totally fine… with the same reasoning we could ignore > > security alltogether as this is just a warning, too, through. > > Huh? apt showing a warning doesn't introduce a security problem. Ignoring > security altogether does. > > "Oh my, introducing a new repo that duplicates an existing repo gives > me a warning that I have duplicated repos!!1!" just doesn't seem like > a compelling complaint to me. That wasn't an "all engines full stop". My initial comment on this was "you will *eventually* need to deal with merging in the funky gui tools adding sources." (highlight by me). And for the record, I think it is really really bad to even suggest that it is okay to ignore warnings. They are displayed for a reason – in that case there is a fair chance the user meant to configure another source but actually didn't. Best regards David Kalnischkies
signature.asc
Description: Digital signature
