https://bugs.kde.org/show_bug.cgi?id=424994
Bug ID: 424994
Summary: Warn about insufficient package security
Product: Discover
Version: unspecified
Platform: unspecified
OS: All
Status: REPORTED
Severity: wishlist
Priority: NOR
Component: discover
Assignee: lei...@leinir.dk
Reporter: lq1prs+2rm8s1mam7fmjxo0...@sharklasers.com
CC: aleix...@kde.org
Target Milestone: ---
Please add the following security warnings to Discover:
- No/Insufficient Transport Encryption
- No/Insufficient Package Signing
- No/Insufficient Repository Signing
- No/Insufficient Security Notifications
- Package Is Not Reproducible
- Package Cannot Be Cross-Checked
No/Insufficient Transport Encryption
====================================
Transport encryption can mitigate critical package manager vulnerabilities such
as https://justi.cz/security/2019/01/22/apt-rce.html, provided that the mirror
that's being used is not compromised.
In most Linux distributions though, either the package manager downloads
packages over plain HTTP/FTP, or the mirrors sync over plain rsync, or both.
Solus is one notable exception [1].
No/Insufficient Package Signing
===============================
Package signing prevents compromised mirrors from serving malicious packages.
Guilty: Solus [1], KaOS [2].
No/Insufficient Repository Signing
==================================
Repository signing prevents compromised mirrors from withholding security
updates.
Guilty: Arch Linux [3], Manjaro [4].
No/Insufficient Security Notifications
======================================
Even with signed packages and repositories, a compromised mirror can still
withhold security updates until the user notices the lack of updates or the
repository expires. This can be solved by fetching security notifications from
the distribution's official servers. As far as I know, Fedora is the only
distribution that implements this [5].
Package Is Not Reproducible
===========================
Reproducible builds allow anyone to check if a binary package corresponds to
its source code by building the source code themselves and comparing the output
with the original binary package. This makes it very easy to detect backdoors
introduced during the compilation process.
>From https://reproducible-builds.org/:
"[...] most software is distributed pre-compiled with no method to confirm
whether they correspond. [...] This incentivises attacks on developers who
release software, not only via traditional exploitation, but also in the forms
of political influence, blackmail or even threats of violence."
"This ability to notice if a developer has been compromised then deters such
threats or attacks occurring in the first place as any compromise would be
quickly detected. This offers comfort to front-liners that they not only can
[not] be threatened, but they would not be coerced into exploiting or exposing
their colleagues or end-users."
Package Cannot Be Cross-Checked
===============================
Cross-checking packages against multiple independent mirrors (or even against
packages downloaded by other users via peer-to-peer communication) would
prevent an attacker who has compromised the developer and one of the mirrors
from serving a backdoored package to a specific user who's using the said
compromised mirror.
I don't know of any Linux distribution or package manager that implements this.
In fact, I got this idea from some obscure article that I can't even find
anymore...
================
[1] https://discuss.getsol.us/d/5073-eopkg-security
[2]
https://github.com/KaOSx/core/blob/0310e8fd08595ec57e87e3f9af5ee53bc407b8d5/pacman/pacman.conf#L41
[3]
https://github.com/archlinux/svntogit-packages/blob/a04db1567ee37a6e7fc84fb8493e39d49dd54ec2/trunk/pacman.conf#L40
[4]
https://gitlab.manjaro.org/packages/core/pacman/-/blob/master/pacman.conf.x86_64#L42
[5]
https://patrick.uiterwijk.org/blog/2018/2/23/fedora-package-delivery-security#metalink
--
You are receiving this mail because:
You are watching all bug changes.
