Re: !!!!
I already said there are no plans to start signing things. What more is there to discuss? Two things: 1) Why not? I'd like to know the reasons. I've read the FAQ, I've checked the archives, and I've read all of the messages in this thread. The best answer seems to be because we can't be bothered. But that's inconsistent with OpenBSD's proactive approach to security. The OpenBSD project has put more effort into less significant security features than this. 2) Given that there are no plans to start signing things, what's the best way to update an OpenBSD system (including packages)? The modal answer is buy the CDs, but that only works for releases. The best answer seems to be use anoncvs over ssh and compile everything yourself, but that requires X and is time-consuming, and you need to somehow verify the server's fingerprint. The upgrade guide at http://www.openbsd.org/faq/upgrade51.html specifically recommends setting PKG_PATH and running pkg_add -ui. This is vulnerable to both compromised mirrors and man-in-the-middle attacks. Section 4.1 of the installation guide at http://www.openbsd.org/faq/faq4.html specifically says that you can download the install ISO or use an FTP or HTTP mirror. This is vulnerable to both compromised mirrors and man-in-the-middle attacks. There is a discrepancy between what the official documentation recommends and what people on this list recommend. Moreover, the official documentation says nothing of the risks its recommendations entail, and thus creates a false sense of security.
Re: !!!!
To the OP. When checking I choose a source mirror or two and download just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can use ssh for the source code by getting the fingerprint once like for signatures but tied to servers and not devs. Thanks for trying to help, Kevin, but there are significant weaknesses in your process. How do you upgrade packages? I have PKG_PATH set for root and use pkg_add -ui. The packages that OpenBSD provides are not signed, so if the mirror from which I get my packages is compromised, so is my computer. If the packages that OpenBSD provides were signed by the OpenBSD project, then I could at least be reasonably confident that the packages were not compromised between their signing and my obtaining them. You say that you download SHA256 from a couple of mirrors to check it. Depending on which mirrors you use and from where they mirror, this does not necessarily provide independent verification. Moreover, anybody that controls a common node between you and the mirrors (e.g., many employees of your ISP) can perform a man-in-the-middle attack such that you get the same compromised files for every mirror (without them even having to compromise the mirrors). This may sound paranoid or far-fetched, but there are tools such as Firesheep that make this relatively easy to do. If the distribution sets that OpenBSD provides were signed by the OpenBSD project, then we could at least be reasonably confident that the distribution sets were not compromised between their signing and our obtaining them. You say that you use SSH for the source code, which is great, except that you need to somehow verify the server's fingerprint the first time. The OpenBSD website doesn't use HTTPS, so again you're vulnerable to a man-in-the-middle attack. Moreover, OpenBSD does not support building ports on systems without X, so if you run OpenBSD on a server without X, then you can't build your own ports from source. If the distribution sets and packages that OpenBSD provides were signed by the OpenBSD project, then we could at least be reasonably confident that the packages and distribution sets were not compromised between their signing and our obtaining them. It's true that signatures may create a false sense of security whereby people think they are safer than they actually are because they misunderstand which threats signatures do and do not protect against. However, this is true of any security measure, and is not a reason to avoid it. For example, W^X may create a false sense of security whereby people think that unsafe programming practices are not a problem, but that's not a reason to avoid W^X. It's true that the OpenBSD project would need to keep their keys secure and that building the distribution sets and packages would involve an extra step, but surely this is a trade-off that the most secure operating system would be happy to make. Practically every other operating system already does.
Re: !!!!
There are significant weaknesses in any process, the majority of which occur between the build infrastructure and source providers which OpenBSD does a very nice job of. I'm not sure why you think that's where the majority of problems occur, but in any case, my point is that using signatures would alleviate many (but not all) significant problems. You don't need to install straight away and can check those packages before you install and then install them on all your machines from a local source. That's much less convenient, and also means that I have to manually account for dependencies (or run pkg_add repeatedly and see which dependencies are missing each time). If the OpenBSD project signed its packages, pkg_add -ui would work as it does now, and I could be reasonably confident that the packages were not compromised between being signed and me installing them. You say that you download SHA256 from a couple of mirrors to check it. Depending on which mirrors you use and from where they mirror, this does not necessarily provide independent verification. No, I said 'source mirror' (aka high tier) and I said 'download just the SHA256' as these mirrors are meant only for syncing. This tedious, manual process is vulnerable to man-in-the-middle attacks. If the OpenBSD project signed its packages and disribution sets, you could, with almost no extra effort, be reasonably confident that they were not compromised between being signed and you downloading them. You say that you use SSH for the source code, which is great, except that you need to somehow verify the server's fingerprint the first time. So how do you verify anything the first time like an iso that comes with keys? If you purchase OpenBSD CDs, you could get the public keys from those; otherwise, you could get them via HTTPS from https://www.openbsd.org/ and be reasonably confident that the keys were genuine. I understand that certification authorities are not perfect. My point is that this would make some attacks much more difficult. Also, long-time OpenBSD users would be able to see that the same signing keys were used for new releases/snapshots as were used for several previous releases/snapshots, meaning that they could reason that no NEW man-in-the-middle attack was taking place when they obtained the new release/snapshot. Again, I understand that this is not perfect. My point is that it would make some attacks much more difficult. The OpenBSD website doesn't use HTTPS, so again you're vulnerable to a man-in-the-middle attack. Moreover, OpenBSD does not support building ports on systems without X, so if you run OpenBSD on a server without X, then you can't build your own ports from source. You don't need to run X, just install the sets or even particularly required files and you can close off any security risk with the machdep sysctl, again which linux cannot do without patching the kernel. OpenBSD does not support building ports on systems without X, so if you run OpenBSD on a server without X, then you can't build your own ports from source. You could build them on another system that has X and then transfer them (is that what you were proposing?), but that requires a lot of extra effort. If the OpenBSD project provided signed packages, then we could, with no extra effort, be reasonably confident that the packages were not compromised between being signed and our downloading them. I'm not sure why you mentioned Linux. I want OpenBSD to be as good as possible, regardless of what Linux can or cannot do. It's true that the OpenBSD project would need to keep their keys secure and that building the distribution sets and packages would involve an extra step, but surely this is a trade-off that the most secure operating system would be happy to make. Practically every other operating system already does. And have had rogue code in their repos whereas OpenBSD nearly has! Again, I'm not claiming that signatures would magically solve every problem. I'm claiming that they would make many attacks significantly harder and that the extra security they provide makes them worthwhile. Also, other operating systems have sometimes detected compromises precisely because they used signatures. As I suggested, they could keep one key secure to sign the SHA256 just to save everyone checking on completely insecure slow phones etc. and also reduce the attack window to the first time but you should consider three things. If the key is compromised, how does anyone you know. If the compromise is detected, the OpenBSD project can announce it via its mailing lists and website, and generate a revocation message. If the compromise is not detected, then, by definition, we don't know. Signatures offer no protection against this. However, we should not make the mistake of thinking that a security measure is not worthwhile merely because it does not protect against every conceivable problem. The false sense of
Re: !!!!
I could have answered lots of points that were weak or erroneous in this thread but that would just be feeding trolls. You must be using the term troll differently to how the rest of the world uses it. I have legitimate concerns that I have explained in detail that no one has yet responded to in a way that really addresses them. Saying that lots of points in this thread are weak or erroneous and then calling me a troll does nothing to further the discussion and is, ironically, exactly the sort of behaviour one would expect from a troll (as the term is usually used). I see lots of OpenBSD should... and I want... types of statements. Actually, I never used either phrase. You're trying to make me seem more demanding than I actually am and then criticising my attitude rather than addressing my actual concerns. For the benefit of absolute newbies here is a precis of the OpenBSD raison d'etre: I've been using BSD since 1998, and unix for a few years before that. Calling me an absolute newbie doesn't address any of my arguments; it's just a transparent psychological ploy whereby you pretend that your position is correct without ever actually defending it. People who find some part of OpenBSD has an irritation or deficiency are encouraged to submit diffs. (Referred to as If you have an itch - scratch it or Shut up and hack) OpenBSD's package system already supports package signing, and OpenSSL can sign files, so there is nothing for which to submit a diff. All of the code is there; it's just not being used. Lots of should sayers believe that OpenBSD devs take notice of their demands. Many times if the devs are silent it's because they have better things to do than troll-feeding or using a cluebat. Again, you're using the word troll in an unusual way, and implying that I'm clueless to cover for not having any good answers. It's transparent. Perhaps you can take further discussion off-list. Perhaps you can let us use the list for its intended purpose and refrain from derailing the discussion with condescending personal attacks. Please. Thanks.
Signatures for distribution sets and packages?
Is there any way to verify that distribution sets and packages that I have downloaded have not been tampered with (e.g., by someone with access to the mirror from which I downloaded them)? The package system supports signatures, but the packages distributed on OpenBSD mirrors are unsigned, as is the SHA256 file in each directory.
Re: Signatures for distribution sets and packages?
Is there any way to verify that distribution sets and packages that I have downloaded have not been tampered with (e.g., by someone with access to the mirror from which I downloaded them)? The package system supports signatures, but the packages distributed on OpenBSD mirrors are unsigned, as is the SHA256 file in each directory. Did you RTFA? I've read the FAQ. It says that the package system supports signatures, but, as I wrote above, the packages distributed on OpenBSD mirrors are unsigned. It doesn't say anything about signatures for the distribution sets. Is there some other article that I should read that answers my questions?
