Tree-signing in Gentoo and recent research into Package Manager Security

[robbat2]

So on Slashdot today, there was a link to the latest research into Package manager security. Specifically, their focus was on defeating signed packages by use of malicious mirrors and replay attacks of signed content. Recording the source of client requests, and possibly denying specific security updates (having an older tree that doesn't contain the security updates).

This plays into some of my long-ongoing tree-signing research in Gentoo. The GLEPs with the exception of 02 and 03 have been mailed to the GLEP editors as well as the portage-dev mailing list, and will be going to the gentoo-dev mailing list after the GLEP editors have reviewed them.

For dealing with the new issues raised by Cappos et al, at Gentoo we are really lucky to have our own infra maintained hardened rotation of mirrors at rsync://rsync.gentoo.org/ in addition to the community mirrors at rsync://rsync$N.$CC.gentoo.org/. Nobody using just the infra-maintained mirrors (barring MITM attacks) would be vulnerable to the new attacks described by Cappos, however those using a community-maintained mirror could be.

Using the main mirrors for new signing purposes, this will enable us to deliver the new MetaManifests reliably via our own infrastructure, even when the user has a community mirror for their actual tree content. The actual changes to the GLEP for this weren't very big at all. Just a timestamp header inside the signed area, as well as distributing the MetaManifests via a trusted medium.

As a minor side note on the infra-maintained rsync.gentoo.org rotation, this would be a good time to consider sponsering a box to Gentoo for that purpose. Each of the 5 existing boxes in the rotation does 50-65GiB of traffic every day - averaging to 6.5Mbit/sec, over a 24-hour period. These boxes are bandwidth, memory and CPU intensive, however they don't hit disk very hard (we serve the trees directly from memory). 4GiB RAM, 2+ 64-bit processors (single core or dual core is fine), ~16GiB of disk (optional: software RAID1 is nice for avoiding downtime, and fancy fast disks aren't needed). We need a serial console or KVM to install it securely - you just boot the box to a livecd, get the access details to infra, we install it from there with our own stage4 tarball that links into cfengine. The machine continues to be owned by the sponsor, in your data centre.

Comments

[unixronin.livejournal.com]

Would you have any use for a loaded Sun E3000? 6x336MHz USII, internal 10-bay SCA rack, 2GB of RAM currently installed with room on the boards for 4GB more, three or four 100Mbit interfaces and a couple of GBIC slots? It needs a home.

[robbat2.livejournal.com]

It could probably be put to use, but there is a severe shortage of rackspace and (independent) bandwidth in infra still. If you're just out to get rid of it, maybe ask the sparc team if they have a need for it.

[unixronin.livejournal.com]

Yeah, at this point honestly I just want to find it a good home and get it out of the laundry-room closet.

Documentation on stage4 + CFEngine?

[(Anonymous)]

I know that this is off-topic, but I think a few sysadmins out there would love to see how Gentoo Infra does stage4 + CFEngine. Are there public docs on how you guys accomplish this? This might be great for folks who are deploying Gentoo "into the Cloud", e.g. EC2 and the like.

[(Anonymous)]

Is there someone who manages PR? I think that the best way to get this done is to write to some organizations and ask them for support. I

[robbat2.livejournal.com]

We do have a PR team, however searching for new hardware is usually the domain of the infrastructure team, and other folk that hear of willing potential sponsors direct them to us.

[(Anonymous)]

For starters I think it's best to put an announcement to the frontpage requesting help in this matter.

Furthermore we could ask the Hyves (www.hyves,nl) people if they are willing to donate a server towards this effort. They own a massive Gentoo serverpark near Amsterdam.

More info:
http://www.gentoo.org/main/en/sponsors.xml

http://www.gentoo.org/news/en/gmn/20080424-newsletter.xml#doc_chap3

We can also ask any of the larger Gentoo clusters:
http://www.gentoo.org/proj/en/cluster/

[robbat2.livejournal.com]

Hyves already runs our Bugzilla machines, from that very article:
"Hyves will sponsor the Gentoo community by helping out with new servers for Bugzilla. We are putting up two large AMD64, 16Gb servers with fast SCSI disks for the database backend and 2 beefy webservers to improve the current bugzilla situation."

Most of the cluster folk aren't suitable, because the machines are inside the cluster set, not outside it.

[(Anonymous)]

I'm investigating if it is possible for my company to donate a server. What are the requirements? Must it run Gentoo? Is a dedicated server required?

[robbat2.livejournal.com]

If you just want to be rsync://rsync$N.$CC.gentoo.org/, or a distfiles/releases mirror, then it can be whatever hardware/OS is suitable for your own needs, you also get to manage the box yourself. Quite a few of the mirrors are shared boxes.

rsync: http://www.gentoo.org/doc/en/rsync.xml
distfiles: http://www.gentoo.org/doc/en/source_mirrors.xml

If you want to be more involved, a dedicated box running Gentoo is required. We'll generally figure out the best fit for the machine in our demands, but a machine that is 2 or more cores of any x86_64 CPU (Xeon, Core2, Opteron etc), 2+ GiB RAM is our basic minimum for useful machines at the moment. Soft or hard RAID1 makes it a lot easier. I wrote in my original post the serial/KVM requirements so that we can perform our own known-clean install on it.

[telecom123.livejournal.com]

The Servers and equipments will breathe Cool Data center management (http://www.netrackindia.com/data-center.php) air from Front side and exhaust from the back side this forced cooling happens through suction (Front) and exhaust (Back) fans provided inside the Server/ Equipments by OEM The air acts as a heat transfer media to take out the heat from the internal components to the outside of the equipment.