[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy

Fabian Keil freebsd-listen at fabiankeil.de
Sat Mar 3 13:10:31 UTC 2012

Robert Ransom <rransom.8774 at gmail.com> wrote:

> On 2012-03-02, Andrew Lewman <andrew at torproject.is> wrote:
> > The trick is, I like to think I know what I'm doing and that I'll
> > notice if apt-get or my VM image fails to transfer untouched. Whether
> > I'll actually notice a sophisticated exploit in deb packages or my vm
> > image modified in perfect way that gpg or sha256 hashes don't detect,
> > remains to be seen. If I pulled a random person out of a barcamp and
> > asked them to do a OS X or Windows update over transparently proxied
> > tor, would they notice if the package was modified in transit? What do
> > these OSes do in this case? What about freebsd ports?
> Every FreeBSD port's list of distfiles includes hashes and sizes of
> each distfile to be downloaded.  If I remember correctly, the only
> required hash is SHA-256.

Of course this only helps if you are actually building the
packages from source, something the "random person out of a barcamp"
probably doesn't do. The official packages are neither signed nor
transferred securely when using pkg_add -r.

It's my impression that signed packages aren't a priority
for the BSDs in general.

> portaudit downloads, ungzips and untars an unsigned file as root, then
> parses a text file extracted from what was hopefully a tarball in a
> shell script run (unnecessarily) as root.  Sucks to be a FreeBSD user.

While there's no need to run portaudit at root, I agree
that a signed auditfile.tbz would be preferable.

> But apt uses GPG (run with (necessarily) root privileges) to verify
> the files it downloads.  Sucks to be a Debian user when someone finds
> another code-exec bug in GPG's parsing code.

I don't see why apt absolutely has to run a gpg with root privileges.
If it really does it, it seems more like an implementation detail
than a necessity.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120303/8b5100ee/attachment.pgp>

More information about the tor-talk mailing list