Secrecy and user trust

Fri Sep 5 14:22:59 UTC 2008

Anders Karlsson wrote:
> * jdow <jdow at earthlink.net> [20080905 08:56]:
>> Suppose I have NO RedHat installed. I have no working computer near
>> me. I want to install Fedora 9. How do I establish the ability to
>> subject the packages to tests for being properly signed, that the
>> key used in the test is correct, and that I am reading and updating
>> from a legitimate mirror?
> 
> In this event you are likely installing from physical media, which
> will have the public key on it already. If you do not trust that media
> - why are you installing from it?

And here you bring out a good point, most users probably download an 
image and create the media themselves. Assuming that you get the sha1sum 
from a trusted source *and use it*, you are probably as safe doing that 
as buying from a DVD house and using that, or going to an install-a-thon 
and having a perfect stranger install software on your system. Having 
been the installer a few times, perhaps people could question me, 
although no one has.
> 
> Once you have installed the system - the updates you are pulling down
> will be verified with the key that was on the media - unless you
> actively go and switch off the gpg checking.
> 
> The part about how to distribute the new public key - that is the
> thing that the infrastructure team is debating how to best do now.
> 
> Nitpicking - it is spelled "Red Hat".
> 
>> If this can be done once in an initial install situation it can be done
>> again in an update situation using the same mechanism.
>>
>> {^_^} 
> 
> As others have already pointed out - it's a question of trust. At some
> point or other - you have to decide what you trust. If you do not
> trust something, do not use it (and then live with the consequences of
> that choice).
> 
> If you decide not to trust passports, you will simply find it a bit
> hard to travel from country to country. If you don't trust the Fedora
> key, you'll find it a bit hard to use Fedora.
> 
> My view of the Fedora public key is that it is a means to verify the
> integrity of the packages coming from the Fedora repo's. That the
> package is originating from Fedora, and not from untrusted 3rd
> party and that the packages have not been tampered with in
> mid-flight. If you don't trust the method by which packages are
> downloaded, verified and installed by yum - maybe you'd trust going to
> the Fedora download site and grabbing the packages, one by one, and
> installing them by hand?
> 
> This is a potential solution actually. If you don't trust https:// to
> the download section of Fedora - you don't trust Fedora full stop. So
> providing a page with the new key, and instruction for what to change
> and how, on your system to point at the new repo's should satisfy even
> the most paranoid people on this list. As the packages are signed with
> the new key, and if you remove the old key - you should be OK. Right?

Actually, I would think that just distributing a single RPM package that 
way, containing the new key, would be preferable to getting it through 
the yum distribution channel, at least from my point of view. Then the 
yum channel would become trusted again.
> 
> Yes - it requires manual interaction, it'll be a PITA etc etc ad
> nauseum. You have a better, more trustworthy idea? Let's hear it.
> 
Actually I assumed that distribution directly from the Fedora servers 
had been impractical or even insecure for some reason, which is why I 
have proposed alternative ideas. It crossed my mind that the SSL certs 
might have been compromised as well.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot