On Mon, Jun 25, 2018 at 07:15:21AM -0400, bill-auger wrote: > On Mon, 2018-06-25 at 11:33 +0200, Jean Louis wrote: > > If users don't know how to verify PGP fingerprints > > with the issues of the PGP key, and it is anyway > > unlikely that any serious percentage would be > > doing so, then we are wasting time by creating > > apparent security. > > it is why package managers such as apt and > pacman run the verifications implicitly so that > the user does not need to know how it is done
It ends up in believing and not assurance. If user did not verify fingerprints, by some other communication line, in reality nothing have been really secured, we have got belief only, and not assurance. Servers can be compromised and they do get ocassionally compromised. Example is where full distribution have been compromised: https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/ pacman or other package manager verifies that the package have been signed by the referenced PGP key. For user, especially if user does not know nothing, it really means nothing. Because there is no true security there. If you don't know which door in your house is closed or open that does not mean your doors are closed and you are safe, just because you don't know it. Server can be compromised and package databases can be compromised. PGP keys can be published without any connection between the actual key controller and the email address or PGP identity. There are few fake PGP identities of RMS in PGP servers for example. It gives some feeling or assurance, it does not give security. It all ends up with the trust based on belief into the domain and servers, and that the domain and its servers where packages aor package databases located are trusted. But there is no assurance whatsoever to know if the that domain was cracked, as we all do not have any access to domain. So believe into maintainers who maintain their domains and servers that nothing was compromised. Which means there is no security at all. We base the downloads of free software on trust, not on security. All these facts shall be made known by each distribution: - that hashes help only to verify that expected file arrived from server to local computer, and says nothing about the genuity of the package or that it is not compromised, and that it is valid only when the original file would be signed by PGP key and such PGP key fingerprints verified between the user and the real key owner - that PGP signatures cannot be assurance of any security unless fingerprints have been verified by independent communication line with the key owner For more info: https://gnupg.org/faq/gnupg-faq.html#how_do_i_verify_signed_packages Quoting: > Get a copy of the author’s public certificate and > import it to your keyring. It’s important to get > the author’s certificate through a trusted > source. On the internet, anyone can be pretend to > be anyone. Particularly, be careful if the > certificate you have doesn’t match the one used > for prior code releases. Now when knowing this, what users do often is following (not all users): - in the first place does not know and does not have easy access to the information WHO is the maintainer of the package or controller of the PGP key, information exists, but is not easy accessible - does not get copy of author's public certificate, but rather relies on domain and server or distribution itself, probably does not even know the URL from where packages are downloaded, and certainly does not import the certificate into his own keyring, but let it to pacman or package manager to handle it, - does not use the trusted source, but simply trusts everything, user is naive, and we shall make it clear to them that no absolute security exists that package was not compromised - does not understand that something like official.em...@example.com can be faked by just anybody and that everybody can make PGP key for any email address in the world - does not verify if the certificate is recent or changed in comparison to prior code releases - and does not know how to use GnuPG And when package databases and such software is held on mirrors, then even the worse opportunity to get compromised software. Conclusion is that all the efforts that package maintainers are doing can be futile by one single server compromise and changes to the package databases. Jean