OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 21-Jun-2005 18:46:32
Branch: HEAD Handle: 2005062117463100
Modified files:
openpkg-web security.wml
Log:
first phase of security web pages edition
Summary:
Revision Changes Path
1.130 +99 -76 openpkg-web/security.wml
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
============================================================================
$ cvs diff -u -r1.129 -r1.130 security.wml
--- openpkg-web/security.wml 11 Jun 2005 16:41:33 -0000 1.129
+++ openpkg-web/security.wml 21 Jun 2005 16:46:31 -0000 1.130
@@ -3,65 +3,85 @@
<title>Security</title>
+<a name="top">
<h1>Security</h1>
+</a>
+
+OpenPKG takes security very seriously. Experience has shown that security
+through obscurity does not work. Rather, public disclosure allows for more
+rapid and better solutions to security problems. This page addresses
+OpenPKG's state of security with respect to the problems which could
+potentially affect an OpenPKG installation.
-OpenPKG takes security very seriously. Experience has shown that "security
-through obscurity" does not work. Public disclosure allows for more rapid and
-better solutions to security problems. In that vein, this page addresses
-OpenPKG's status with respect to various known security holes, which could
-potentially affect OpenPKG.
+<a name="toc">
+<h2>Page Contents</h2>
+</a>
+
+<ul>
+ <li><a href="#top">Security (top of page)</a></li>
+ <li><a href="#toc">Page Contents</a></li>
+ <li><a href="#notifications">Security Incident Notifications</a></li>
+ <li><a href="#policies">Security Policies</a></li>
+ <li><a href="#advisories">Security Advisories</a></li>
+ <li><a href="#signature">Digital Signatures</a></li>
+</ul>
+<a name="notifications">
<h2>Security Incident Notifications</h2>
+</a>
<p>
<box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
-Notification of security incidents should be reported to <a
+Your notifications of security incidents should be reported to <a
href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>.
-Expect to be requested by the Petidomo robot to send back a confirmation mail
-before your security notification is actually delivered to the OpenPKG team.
-With a fast reaction time, this step will not interfere with your concern.
+Expect to be requested by the Petidomo robot to send back a confirmation
+mail before your notification is actually delivered to the OpenPKG team.
+The Petidomo protection logic will not interfere with your concern, as the
+reaction time is particularly fast.
</box>
<p>
-Notice: all non-security related reports sent to the above address are
+Note: all reports unrelated to security sent to the above address are
silently ignored.
-<a name="advisories">
-<h2>Security Advisories</h2>
+<a name="policies">
+<h2>Security Policies</h2>
</a>
-The OpenPKG project provides security advisories and updated SRPMs for
-packages of CORE+BASE class that belong to either
+The OpenPKG project provides security advisories (SAs) and updated SRPMs
+(UPDs) for packages of CORE+BASE class that belong to either
<ul>
<li>the most recent official release of OpenPKG or</li>
<li>the immediate predecessor of the most recent release.</li>
</ul>
-Following this policy, at this time, security advisories and updated SRPMs
are
-being issued for
+According to this policy, security advisories and updated SRPMs are
+now being issued for
<ul>
<li>OpenPKG 2.3 CORE+BASE class packages</li>
<li>OpenPKG 2.2 CORE+BASE class packages</li>
</ul>
-Older releases are not maintained and users are strongly encouraged to
upgrade
-to one of the supported releases mentioned above. Like all development
-efforts, security fixes are first brought into the OpenPKG-CURRENT branch.
-After a some testing, the fix is retrofitted into the supported
OpenPKG-STABLE
-and OpenPKG-SOLID branch(es).
+Older releases are not maintained and therefore users are strongly
+encouraged to upgrade to one of the supported releases mentioned above. Like
+all development efforts, security corrections are first committed to the
+OpenPKG-CURRENT branch. After adequate testing, the fix is retrofitted to
+the supported OpenPKG-STABLE and OpenPKG-SOLID branch(es).
<p>
-Security Advisories are sent out by the OpenPKG project to <a
-href="mailto:[email protected]";>[email protected]</a>
and <a
-href="mailto:[email protected]";>[email protected]</a>.
-You are strongly advised to at least <a
-href="support.html">subscribe</a> to the moderated mailing list <a
-href="mailto:[email protected]";>[email protected]</a>.
+Security advisories are sent out by the OpenPKG project to
+<b>[email protected]</b> and <b>[email protected]</b>.
+You are strongly advised to at least <a href="support.html">subscribe</a> to
+the moderated mailing list <b>[email protected]</b>.
+
+<a name="advisories">
+<h2>Security Advisories</h2>
+</a>
<p>
-The complete list of OpenPKG Security Advisories follow:
+The complete list of OpenPKG security advisories follows:
<p>
<define-tag sa>
@@ -217,41 +237,40 @@
<h2>Digital Signatures</h2>
</a>
-The OpenPKG project uses <a href="http://www.gnupg.org/";>GnuPG</a>
-and <a href="http://www.openpgp.org/";>OpenPGP</a> digital signatures
-to sign security advisories (see above) and the distribution files
-(<tt>*.rpm</tt>) of <a href="ftp://ftp.openpkg.org/release/";>official
-OpenPKG releases</a>.
+The OpenPKG project uses <a href="http://www.gnupg.org/";>GnuPG</a> and
+<a href="http://www.openpgp.org/";>OpenPGP</a> digital signatures to sign
+<a href="#advisories">security advisories</a> and the associated SRPMs of
+<a href="ftp://ftp.openpkg.org/release/";>official OpenPKG releases</a>.
<p>
-In order to verify the digital signatures, follow these steps:
+In order to verify the digital signature of any security advisory or RPM
+files, follow these steps:
<ol>
<li><b>OpenPKG 2.x</b>
<p>
- OpenPKG 2.x has the capability to check signed packages with built-in
+ OpenPKG 2.x has the capability to check signed packages using built-in
cryptographic tools. The OpenPKG OpenPGP public key is preinstalled and
- appears as if it were a package. OpenPGP is only necessary to verify
- things different from packages, i.e. an advisory text, or to sign
- packages.
+ appears as if it were a package. To verify RPM files, nothing more is
+ needed. Separate OpenPGP cryptography software is needed when verifying
+ security advisory texts or to sign packages, however.
<p>
-<li><b>Install GnuPG</b>
+<li><b>Install GnuPG Software</b>
<p>
- This is the preferred tool for working with OpenPGP. We recommend you to
- install it by using the OpenPKG <a
- href="ftp://ftp.openpkg.org/release/1.3/SRC/gnupg-1.2.2-1.3.1.src.rpm";>
- gnupg</a> package.
- Alternatively you can fetch it from its official homepage <a
- href="http://www.gnupg.org/";>http://www.gnupg.org/</a> and build/install
- it manually. Then make sure the program <tt>gpg</tt> is in your
- <tt>$PATH</tt>. If you installed it via OpenPKG under <i>prefix</i>
- you can simply use <tt>eval `<i>prefix</i>/etc/rc --eval openpkg
env`</tt> for this.
+ GnuPG is the preferred tool for working with OpenPGP. We recommend
+ installing the OpenPKG gnupg package from the OpenPKG
+ <a href="ftp://ftp.openpkg.org/release/";>package repository</a>.
+ Alternatively, you can fetch it from its official homepage
+ <a href="http://www.gnupg.org/";>http://www.gnupg.org/</a> and then
+ build and install it manually. Make sure the program <tt>gpg</tt> is in
+ your <tt>$PATH</tt>. If you installed it via OpenPKG under <i>prefix</i>
+ you can simply use <tt>eval `<i>prefix</i>/etc/rc --eval openpkg
+ env`</tt> to accomplish this.
<p>
-<li><b>Import the OpenPKG's OpenPGP public key</b>
+<li><b>Import the OpenPKG OpenPGP public key</b>
<p>
- You can import the <a href="http://www.openpgp.org/";>OpenPGP</a> public
- key of "OpenPKG <[EMAIL PROTECTED]>" into your
- key-ring in one of the following ways:
+ You can import the OpenPGP public key of "OpenPKG <[EMAIL
PROTECTED]>"
+ into your key ring in one of the following ways:
<ul>
<li>Directly from the master location (preferred):<br>
<tt>$ lynx -source http://www.openpkg.org/openpkg.pgp | gpg
--import</tt>
@@ -263,13 +282,13 @@
<p>
<li><b>Verify the integrity of the imported OpenPKG public key</b>
<p>
- You always should make sure the imported key is the correct one by
- verifying at least its fingerprint. For this, run the following
- command:
+ You should always make sure the imported key is the correct one by
+ at least verifying its fingerprint. To verify the imported key's
+ fingerprint, run the following command:
<p>
<tt>$ gpg --fingerprint openpkg</tt>
<p>
- Make sure it prints the following fingerprint:
+ Ensure that it prints the following fingerprint text:
<p>
<box bdspace=4 bgcolor="#f0f0f0">
<b>6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F</b></pre>
@@ -277,18 +296,19 @@
<p>
<li><b>Verify the security advisory or distribution files</b>
<p>
- Now you are ready to verify the integrity and authentication of an
OpenPKG
- security advisory or an OpenPKG RPM distribution file.
+ After building and installing GnuPG and integrating the OpenPKG public
+ key, the integrity and authenticity of OpenPKG security advisories and
+ RPM files may be verified.
<p>
<ul>
<li><b>Security Advisory Verification</b>
<p>
- To verify a security advisory, just pipe the message through the
- following command:
+ To verify a security advisory, pipe the message through the
+ command 'gpg --verify':
<p>
- <tt>$ gpg --verify</tt>
+ <tt>$ cat OpenPKG-SA-2005.001-perl.txt | gpg --verify</tt>
<p>
- Make sure it successfully responds with
+ Ensure that it successfully responds with:
<p>
<tt>gpg: Good signature from "OpenPKG <[EMAIL PROTECTED]>"</tt>
<p>
@@ -296,26 +316,29 @@
<p>
<tt>gpg: BAD signature from "OpenPKG <[EMAIL PROTECTED]>"</tt>
<p>
- you can be sure the message was tampered with or not provided by the
- OpenPKG project.
+ then it is a clear indication that the security advisory text is
+ invalid and not certified by the OpenPKG project.
<p>
- <li><b>RPM Distribution File Verification</b>
+ <li><b>RPM File Verification</b>
<p>
- To verify a RPM file <i>name</i><tt>.rpm</tt> (both source or
+ To verify a RPM file <i>name</i><tt>.rpm</tt> (either source or
binary), run the following command on it:
<p>
- <tt>$ rpm -v --checksig <i>name</i>.rpm</tt>
- <p>
- Make sure it successfully responds with:
+ <tt>$ openpkg rpm -v --checksig <i>name</i>.rpm</tt>
<p>
- <tt><i>name</i>.rpm: md5 gpg OK</tt>
+ Ensure that it successfully responds with:
<p>
- If instead it responds with (or something else):
- <p>
- <tt><i>name</i>.rpm: md5 GPG NOT OK</tt>
- <p>
- you can be sure the RPM was tampered with or not provided as
- a released part of the OpenPKG project.
+ <tt><i>name</i>.rpm:</tt>
+ <tt><i>name</i>.rpm:</tt><br />
+ <tt> Header V3 DSA signature: OK</tt><br />
+ <tt> Header SHA1 digest: OK</tt><br />
+ <tt> MD5 digest: OK</tt><br />
+ <tt> V3 DSA signature: OK</tt>
+ <p>
+ If instead it responds with the text <i>NOT OK</i> rather than
+ <i>OK</i> or anything else for that matter, then it is a clear
+ indication that the RPM file is invalid and not certified by the
+ OpenPKG project.
</ul>
</ol>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
