[sf-lug] Security of mirrors

Rick Moen rick at linuxmafia.com
Wed Mar 31 10:10:00 PDT 2010

Quoting Robert Damphousse (rjdampho at gmail.com):

> Does anyone have some thoughts on the security of software mirrors for
> our favorite Linux distros? Given all the hacking we are seeing from
> China right now, which is mostly done via binary malware on Windows
> machines, I am wondering if a software mirror can be compromised to
> achieve a similar result on Linux systems?

Are your packages cryptographically signed, and does your package
manager check the signing key and error out if it's not OK?  If so, then
as long as you take care to accept only valid signing keys into your
keyring, it doesn't _matter_ if the mirror is compromised.

(If the machine where packages get built and signed is compromised, or
an ill-intentioned developer is accepted as a package maintainer and
his/her work passes peer review, then there's a big problem, but that's
a different threat model.)

Development machines at the Debian and Gentoo projects were
root-compromised by a kernel bug at the end of 2003, but the intruders
were not able to compromise the repositories on account of package
signing:  http://linuxgazette.net/issue98/moen.html

> Today's reading from Google:
> http://googleonlinesecurity.blogspot.com/2010/03/chilling-effects-of-malware.html

Yet another craptastic malware article that, as usual, fails to address
the question most of interest:  How does that code get executed?
More at:  "Security Snake Oil" on http://linuxmafia.com/kb/Essays/

More information about the sf-lug mailing list