Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6157

Re:Re: Concerns about Security of packages in Debain OS and the Operating system itself.

From Ravi Dwivedi <ravi@ravidwivedi.in>
Newsgroups linux.debian.devel, linux.debian.project, linux.debian.security
Subject Re:Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Date 2022-06-29 15:10 +0200
Message-ID <EDFC9-80Ot-3@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Cross-posted to 3 groups.

Show all headers | View raw

Since the below mentioned analysis of Debian's security, and that too 
compared to other distros, is not very well-known outside of Debian 
project(it didn't come up in any internet searches, the web of trust 
gets mentioned but there is not much explanation on it), I suggest 
writing in somewhere in Debian wiki or blog post.

I am willing to write that as well if the Debian project does not have 
any problems.

 > i believe the answer is in the question. debian is based on 
distributed trust.  i did the analysis (took 3 weeks): it is literally 
the only distro in the world with an inviolate chain of trust from a 
large keyring dating back 20 years that is itself GPG-signed as a 
package, with a package distribution chain from source where all 
components within the chain up to release are unbroken and inviolate.

 > take ubuntu for example: whilst it has the exact same technology the 
size of the developer pool, comprising the web of trust, is both much 
smaller and also controlled by one Corporation: Canonical. Canonical 
says "jump", the developers ask "how high".

 > take Suse, Fedora etc: their RPM packages break the chain of trust by 
failing to properly include a GPG Signature of the Release (i do not 
recall the exact details, i did the analysis 4 years ago)

 > take Archlinux: their community is vulnerable to unverified github 
repositories being abandoned, a hacker re-registering them, and a trojan 
uploaded and distributed automatically.

 > i won't even bother going into the absolute moronic practice of 
"trusting" HTTPS: node, pypi, etc should be blindingly obviously 
untrustworthy, with the website being a prime hacking target if nothing 
else.

 > even GNU packages are hopelessly inadequately secure as far as social 
engineering and hacking are concerned.

 > debian is not a single centralised repository, it is controlled by 
no-one. you have to compromise hundreds of independent developers before 
you make any headway, and as a result it was trusted by e.g. the 
Venezuelan Government as the basis for their own distro, many years ago.

 > there is not even a centralised dependency on a website: packages may 
be securely distributed by Carrier Pigeon or printed out on paper and 
OCR scanned if you really want to because there is a full GPG Chain and 
Checksums, right back to the source code.

 > and that (GPG Chains) basically, is the key.  anyone stupid enough to 
do something stupid is going to be throwing away their reputation, not 
just within the debian project as a maintainer, but for life.

 > you abuse your position as a maintainer by putting in trojan code, 
because that trojan package had to be GPG Signed, you have to make a 
*public and irreversible declaration* which will remain in historical 
archives for the rest of your life and beyond.

 > this would result in catastrophic consequences for not just their 
involvement in debian (which would be terminated with prejudice), but 
because their GPG Signature on the trojan package is public, inviolate 
and irrevocable, it would also have catastrophic consequences for their 
career in IT because nobody would ever trust them in a position of 
responsibility, ever again. they'd be flipping burgers for the rest of 
their life.

 > fundamentally, then, you are assuming that there is "one controller 
of debian", which is false.  there are literally hundreds of 
*independent* developers, all of whom know their responsibility, all of 
whom know that they have all other independent developers keeping an eye 
on them.

 > this makes debian pretty much the only distro that could be trusted 
to remain true to humanity and to its principles and its charter. even 
when some of them (you know who you are) are when it comes down to it 
not very nice people, they can at least be trusted to do the right thing.
-- 
Ravi Dwivedi,
https://ravidwivedi.in
GPG Key Fingerprint
AFCA 169F 18B6 8814 ABE6 102A 5E9F 47BE 14DD 8BE6

Back to linux.debian.security | Previous | NextNext in thread | Find similar

Thread

Re:Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Ravi Dwivedi <ravi@ravidwivedi.in> - 2022-06-29 15:10 +0200
  Re: Re: Concerns about Security of packages in Debain OS and the  Operating system itself. lkcl <luke.leighton@gmail.com> - 2022-06-29 16:20 +0200

csiph-web