[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy
Fabian Keil
freebsd-listen at fabiankeil.de
Sat Mar 3 13:10:31 UTC 2012
Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 2012-03-02, Andrew Lewman <andrew at torproject.is> wrote:
>
> > The trick is, I like to think I know what I'm doing and that I'll
> > notice if apt-get or my VM image fails to transfer untouched. Whether
> > I'll actually notice a sophisticated exploit in deb packages or my vm
> > image modified in perfect way that gpg or sha256 hashes don't detect,
> > remains to be seen. If I pulled a random person out of a barcamp and
> > asked them to do a OS X or Windows update over transparently proxied
> > tor, would they notice if the package was modified in transit? What do
> > these OSes do in this case? What about freebsd ports?
>
> Every FreeBSD port's list of distfiles includes hashes and sizes of
> each distfile to be downloaded. If I remember correctly, the only
> required hash is SHA-256.
Of course this only helps if you are actually building the
packages from source, something the "random person out of a barcamp"
probably doesn't do. The official packages are neither signed nor
transferred securely when using pkg_add -r.
It's my impression that signed packages aren't a priority
for the BSDs in general.
> portaudit downloads, ungzips and untars an unsigned file as root, then
> parses a text file extracted from what was hopefully a tarball in a
> shell script run (unnecessarily) as root. Sucks to be a FreeBSD user.
While there's no need to run portaudit at root, I agree
that a signed auditfile.tbz would be preferable.
> But apt uses GPG (run with (necessarily) root privileges) to verify
> the files it downloads. Sucks to be a Debian user when someone finds
> another code-exec bug in GPG's parsing code.
I don't see why apt absolutely has to run a gpg with root privileges.
If it really does it, it seems more like an implementation detail
than a necessity.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120303/8b5100ee/attachment.pgp>
More information about the tor-talk
mailing list