[ooni-dev] Fwd: Ooni / M-Lab Deployment Automation Script
Arturo Filastò
art at torproject.org
Thu Jul 17 13:42:03 UTC 2014
Hi Least Authoritarians,
Thanks for the report. I will be away until the 30th of July so I will
not be able to resolve these issues until that date.
I will reply inline.
On 7/16/14, 11:44 PM, Nathan Wilcox wrote:
> ---------- Forwarded message ----------
> From: Taylor Hornby <taylor at leastauthority.com>
> Date: Wed, Jul 16, 2014 at 2:42 PM
> Subject: Ooni / M-Lab Deployment Automation Script
>
>
> All of these tickets, with the exception of #40, #12641, #41, #42, and
> #44 are now closed. Ticket #40 is a minor issue, but would involve
> significant design decisions on M-Lab's part, so we left it open for
> M-Lab to close. Ticket #12641 is about the use of a deprecated function
> in Ooni, to be fixed by the Ooni team. Ticket #42 is about a missing
> dependency in Ooni for the Ooni team to fix. Ticket #44 is about
> a security vulnerability that requires Ooni collaboration to resolve
> (see below).
>
I will look more into #12641 and see if it is something that can be
fixed in ooni-backend, but from the looks of it it seems like a twisted bug.
We don't use the IStreamClientEndpointStringParser interface at all and
I see some other projects on the internet having the same issue:
https://github.com/getsentry/raven-python/issues/466
> We also found a new security vulnerability in Ooni:
>
> #12642: Can Network Attacker Downgrade Dependency Install Security?
> https://trac.torproject.org/projects/tor/ticket/12642#ticket
>
As I commented on the ticket I believe that there is not so much we can
do here except perhaps improve the documentation of ooni-backend.
I thought it was clear from the README.md that the user should verify
that all the commands that are run do not fail. If the pip command
fails, because it did not download a dependency, then you are correct it
is possible for an attacker to serve us a tampered dependency.
This has to do with the fact that python dependency installation is
quite broken.
The script in the mlab support should check for the return value of pip
and make sure it's 0 and if not hard fail.
For non mlab deployment I think the best path is to start uploading
ooni-backend to pip and suggest to install it only via pip without
downloading the git repo.
~ Art.
More information about the ooni-dev
mailing list