Re: Why no secure code retrieval

emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed

From: Robert Horn <rjhorn@alum.mit.edu>
To: Konstantin Kliakhandler <kosta@slumpy.org>
Cc: Bastien <bzg@gnu.org>, Ian Barton <lists@wilkesley.net>,
	Arun Isaac <arunisaac@systemreboot.net>,
	emacs-orgmode@gnu.org, Nicolas Goaziou <mail@nicolasgoaziou.fr>
Subject: Re: Why no secure code retrieval
Date: Sun, 03 Jul 2016 16:12:45 -0400	[thread overview]
Message-ID: <m3bn2ev5tu.fsf@alum.mit.edu> (raw)
In-Reply-To: <CAH+LVpmmOLqpoYe5D9X01TBGbeUhooafKdZry76Ufv==ZdB0_A@mail.gmail.com>

Konstantin Kliakhandler writes:

> Hello Robert,
>
> I am the OP.
>
> For what it is worth, the current discussion is actually precisely what I
> was aiming at. I agree with your analysis of my Intended goals but
> completely disagree that SHA1 alone is any sort of guarantee.. To be
> precise, I don't just think that it doesn't provide much, but rather that
> alone it provides none at all. This is because I have no idea who produced
> a given SHA1 - whether it was Bastien, or a MITM attacker, or just someone
> who compromised the server.

The SHA1's are created by the git processes at the git server that you
connect to.  Or, in the case of a malicious source, by the malicious
source appearing to be the git server.  The SHA1's are reference
elements used throughout git, and are primarily for integrity protection
against accidents, not against attackers.  Hence it's sufficient that
they be maintained by the git processes.

The plain vanilla git process does not include distribution of SHA1
values by an independent path, so it's not easy to verify against a
trusted source for the correct values.

As Achim Gratz says:
>If the server or repo gets compromised, then it is game over
>until someone notices that the server suddenly doesn't match up the
>local clone.

The most common and appropriate next step (assuming git is used for
distribution) is to make use of PGP signing of tagged versions in git.  This is a
strong signature traceable to some release person or process.  It
provides strong verification and authentication for the contents of a
specific tagged release.  This protects against distribution server and repo
compromises, but not against development process compromises.

This would be a reasonable step for org-mode releases.  The release
process only involves a few people, and key management would not be too
hard.  It doesn't solve the problem for non-git distribution methods.
My guess is that the ELPA users are the most exposed.  Fixing that
really belongs to ELPA, but if I were putting together the cyber
security plan for org-mode I would call out this gap and make clear that
it is a gap that can't be easily solved by org-mode.  (Maybe tweaking
someone more familier with ELPA to tell me how to solve it for ELPA.)

Signed tags do not provide much extra protection for developers.  The
usual git process of using SSH keys to authenticate developers is much
easier to manage than individually signed changes.  It's vulnerable to
all the usual attacks.  Overall integrity depends upon the release
testing and verification process.  Signed commits can reduce these
risks.

Signed commits are a lot more work than the SSH key methods.  I doubt
that the committers have the appetite to deal with all the issues
involved.

R Horn

next prev parent reply	other threads:[~2016-07-03 20:13 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-28 12:10 Why no secure code retrieval Konstantin Kliakhandler
2016-06-29  6:11 ` Arun Isaac
2016-06-30 11:50   ` Nicolas Goaziou
2016-07-02 14:18     ` Bastien Guerry
2016-07-02 16:51       ` Ian Barton
2016-07-03  7:09         ` Bastien Guerry
2016-07-03 15:11           ` Robert Klein
2016-07-03 15:20           ` Achim Gratz
2016-07-03 16:57           ` Robert Horn
2016-07-03 18:18             ` Konstantin Kliakhandler
2016-07-03 18:25               ` Achim Gratz
2016-07-03 20:12               ` Robert Horn [this message]
2016-07-03 22:36                 ` Konstantin Kliakhandler
2016-07-04  0:17                   ` Robert Horn
2016-07-04  6:15                     ` Konstantin Kliakhandler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m3bn2ev5tu.fsf@alum.mit.edu \
    --to=rjhorn@alum.mit.edu \
    --cc=arunisaac@systemreboot.net \
    --cc=bzg@gnu.org \
    --cc=emacs-orgmode@gnu.org \
    --cc=kosta@slumpy.org \
    --cc=lists@wilkesley.net \
    --cc=mail@nicolasgoaziou.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).