Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unsigned Gentoo latest files #19

Open
adrelanos opened this issue Jan 13, 2015 · 3 comments
Open

unsigned Gentoo latest files #19

adrelanos opened this issue Jan 13, 2015 · 3 comments

Comments

@adrelanos
Copy link

Gentoo latest files are apparently unsigned.

This is problematic, because automated build scripts such as the @Securix-Linux can not verify this file. The adversary could use this to mount rollback 1 or indefinite freeze [2] attacks.

https://github.com/martincmelik/Securix-Linux/blob/cb293269de0297a18c3b1af3275dbc3a81c22a6c/securix-install/install.sh#L799

 f_download "${SECURIX_STAGE3BASEURL}${STAGE3LATESTTXT}" "${GENTOO_STAGE3BASEURL}${STAGE3LATESTTXT}"

Related: #10


References:
[1] [2] Defined as per TUF (The Update Framework) - Attacks and
Weaknesses - Threat Model:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
http://www.webcitation.org/6F7Io2ncN


TODO:

  • Check Gentoo tracker if they have any plans to sign them.
  • Suggest this, if not yet.
@adrelanos
Copy link
Author

@adrelanos
Copy link
Author

Answer in short summary:

WONTFIX

@memorylost731
Copy link

That close the debate
On Feb 13, 2015 12:21 PM, "Patrick Schleizer" notifications@github.com
wrote:

Answer in short summary:

WONTFIX


Reply to this email directly or view it on GitHub
#19 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants