Just in case anyone cares :) I have changed the kernel.org frontpage
from linking to .gz to linking to .bz2 files. It should now also
display snapshot releases if they exist.
-hpa
--
<[email protected]> at work, <[email protected]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt <[email protected]>
> Just in case anyone cares :) I have changed the kernel.org frontpage
> from linking to .gz to linking to .bz2 files. It should now also
> display snapshot releases if they exist.
Cool, would it be worth putting in a link to the relevant .sign files
as well?
John
John Bradford wrote:
>>Just in case anyone cares :) I have changed the kernel.org frontpage
>>from linking to .gz to linking to .bz2 files. It should now also
>>display snapshot releases if they exist.
>
>
> Cool, would it be worth putting in a link to the relevant .sign files
> as well?
No, it would add absolutely nothing (other than clutter.) All the .sign
files are good for is to check for rogue mirrors.
-hpa
On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:
> No, it would add absolutely nothing (other than clutter.) All the .sign
> files are good for is to check for rogue mirrors.
Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.
[email protected] wrote:
> On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:
>
>
>>No, it would add absolutely nothing (other than clutter.) All the .sign
>>files are good for is to check for rogue mirrors.
>
>
> Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.
NO!
THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.
-hpa
H. Peter Anvin wrote:
> [email protected] wrote:
>
>> On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:
>>
>>> No, it would add absolutely nothing (other than clutter.) All the
>>> .sign files are good for is to check for rogue mirrors.
>>
>> Or a rogue *primary* site, as has already happened to OpenSSH and
>> Sendmail.
>
> NO!
>
> THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.
Perhaps for the truly paranoid the signatures should be posted to this
newsgroup and digitally signed by someone trusted.
Chris
--
Chris Friesen | MailStop: 043/33/F10
Nortel Networks | work: (613) 765-0557
3500 Carling Avenue | fax: (613) 765-2986
Nepean, ON K2H 8E9 Canada | email: [email protected]
On Wed, 29 Jan 2003 13:36:55 EST, Chris Friesen said:
> Perhaps for the truly paranoid the signatures should be posted to this
> newsgroup and digitally signed by someone trusted.
It's called the PGP web of trust. There's already some 107 signatures on
the PGP key - who else would you want signing it? The point is that we've
already (presumably) proved via the web-of-trust that PGP key 517d0f0e is
in fact the proper key, and that for an intruder to post a valid signature
of a trojaned .tar.gz would require them to *ALSO* compromise the machine
that the signing is done on (hopefully a different machine than ftp.kernel.org).
Yes, an intruder could leave a forged signature with a random key easily. But
to leave a forged signature with the key that's already on my keyring is a
lot harder...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
Chris Friesen <[email protected]> writes:
> > THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.
>
> Perhaps for the truly paranoid the signatures should be posted to this
> newsgroup and digitally signed by someone trusted.
Or just sign them on the ftp site with the key from someone trusted.
-Andi
> > No, it would add absolutely nothing (other than clutter.) All the .sign
> > files are good for is to check for rogue mirrors.
>
> Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.
I see what you mean, but I don't see how it makes it any less useful
to have them on the front page - if you download the latest kernel
patch from a mirror, you could then just click on the relevant link on
the front page of kernel.org - infact, as http access to kernel.org is
frequently much slower than ftp, it might actually be very useful,
because anybody downloading via http would make two requests, (OK,
about 7, because of the images on the front page), instead of about
13, if they traverse each directory to the .sign file.
John
On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:
> I see what you mean, but I don't see how it makes it any less useful
> to have them on the front page - if you download the latest kernel
> patch from a mirror, you could then just click on the relevant link on
> the front page of kernel.org - infact, as http access to kernel.org is
> frequently much slower than ftp, it might actually be very useful,
> because anybody downloading via http would make two requests, (OK,
> about 7, because of the images on the front page), instead of about
> 13, if they traverse each directory to the .sign file.
I was arguing that they *should* be on the front page, since they *are*
useful and it *would* lower the number of requests.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
John Bradford wrote:
>>>No, it would add absolutely nothing (other than clutter.) All the .sign
>>>files are good for is to check for rogue mirrors.
>>
>>Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.
>
>
> I see what you mean, but I don't see how it makes it any less useful
> to have them on the front page - if you download the latest kernel
> patch from a mirror, you could then just click on the relevant link on
> the front page of kernel.org - infact, as http access to kernel.org is
> frequently much slower than ftp, it might actually be very useful,
> because anybody downloading via http would make two requests, (OK,
> about 7, because of the images on the front page), instead of about
> 13, if they traverse each directory to the .sign file.
>
No, just download the signature from the mirror and verify it. This
isn't an MD5 signature.
-hpa
[email protected] wrote:
> On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:
>
>
>>I see what you mean, but I don't see how it makes it any less useful
>>to have them on the front page - if you download the latest kernel
>>patch from a mirror, you could then just click on the relevant link on
>>the front page of kernel.org - infact, as http access to kernel.org is
>>frequently much slower than ftp, it might actually be very useful,
>>because anybody downloading via http would make two requests, (OK,
>>about 7, because of the images on the front page), instead of about
>>13, if they traverse each directory to the .sign file.
>
>
> I was arguing that they *should* be on the front page, since they *are*
> useful and it *would* lower the number of requests.
>
I am not going to do something that will provide false security to
people. Case closed; please read the signature FAQ.
-hpa
On Wed, Jan 29, 2003 at 01:55:22PM -0500, [email protected] wrote:
> Yes, an intruder could leave a forged signature with a random key
> easily. But to leave a forged signature with the key that's already
> on my keyring is a lot harder...
I believe a script signs the files on ftp.kernel.org, which means the
private key is on the master machine, probably without a pass phrase.
That means that if the master server is compromised, its highly likely
that a rogue file will have a correct signature.
As hpa says, the GPG signature provides no assurance that Linus put
up patch-2.5.60.bz2 and not some random other person.
The only way to be completely sure is for Linus to gpg-sign the patches
himself at source with a known gpg key using a secure pass phrase before
they leave his machine (preferably before the machine is connected to
the 'net to upload them for the really paranoid.)
--
Russell King ([email protected]) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
On Wed, 29 Jan 2003 19:37:50 GMT, Russell King said:
> I believe a script signs the files on ftp.kernel.org, which means the
> private key is on the master machine, probably without a pass phrase.
> That means that if the master server is compromised, its highly likely
> that a rogue file will have a correct signature.
OK.. I missed that part, and thought somebody was doing a check-and-balance
before files went out.
> The only way to be completely sure is for Linus to gpg-sign the patches
> himself at source with a known gpg key using a secure pass phrase before
Now there's a thought.. ;)
> No, just download the signature from the mirror and verify it. This
> isn't an MD5 signature.
Good point, if the main site has been compromised, and the key
obtained, it would be a bit pointless concerning ourselves with
whether the mirror had been compromised separately :-)
John.
>
> --==_Exmh_1523870505P
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:
>
> > I see what you mean, but I don't see how it makes it any less useful
> > to have them on the front page - if you download the latest kernel
> > patch from a mirror, you could then just click on the relevant link on
> > the front page of kernel.org - infact, as http access to kernel.org is
> > frequently much slower than ftp, it might actually be very useful,
> > because anybody downloading via http would make two requests, (OK,
> > about 7, because of the images on the front page), instead of about
> > 13, if they traverse each directory to the .sign file.
>
> I was arguing that they *should* be on the front page, since they *are*
> useful and it *would* lower the number of requests.
Sorry, I'd deleted the original message, and didn't want to break the
thread :-)
John.
H. Peter Anvin wrote:
>I am not going to do something that will provide false security to
>people. Case closed; please read the signature FAQ.
>
> -hpa
>
>
>
Are you monitoring the development of SFS by Mazieres?
I believe that would be the best way to handle it.
--
Hans
"H. Peter Anvin" wrote:
>
> All the .sign
> files are good for is to check for rogue mirrors.
I believe I can also use them to check against a MiM
attack against my connection to kernel.org.
--
Kasper Dupont -- der bruger for meget tid p? usenet.
For sending spam use mailto:[email protected]
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);
Kasper Dupont wrote:
> "H. Peter Anvin" wrote:
>
>>All the .sign
>>files are good for is to check for rogue mirrors.
>
> I believe I can also use them to check against a MiM
> attack against my connection to kernel.org.
>
You can, assuming you have a trust path to the key.
-hpa
> > All the .sign
> > files are good for is to check for rogue mirrors.
>
> I believe I can also use them to check against a MiM
> attack against my connection to kernel.org.
Yes.
John.