freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]

freebsd-security

Options

HomeMessages

Attachments

Members OnlyPostFilesPhotosLinksDatabasePollsCalendarPromote

The Yahoo! GroupsProduct Blog

Check it out!

Group Information

Members: 17

Founded: Aug 7, 1998

Language: English

Already a member?Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...Message search is nowenhanced, findmessages faster. Take itfor a spin.

MessagesMessage # Search: Advanced Messages Help

Topic List < Prev Topic | Next Topic >

FreeBSD needs Git to ensure repo integrity [was: 2012incident] < Prev Next > Posted By: Sat Nov 17, 2012 8:00 pm |

http://www.freebsd.org/news/2012-compromise.htmlhttp://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-\breach-via-stolen-ssh-key

This is not about this incident, but about why major opensourceprojects need to be using a repository that has traceable, verifiable,built-in cryptographic authentication.

Any of hundreds of committer and admin accounts could be compromisedwith the attacker silently editing the repo. The same applies toany of those accounts going rogue. Backtrack diffing from a breachto 'see what changed' is not the ideal option. You really need tobe using a strong repo so that any attack on it is null from thestart. Another problem is bit rot wherever it may occur... disk,hardware, the wire, EMP and other systems.

As it is now, we have no way to verify that what we get on pressedCD's, ISO's, FTP sites, torrents, etc is strongly linked back tothe original repo. Signing over a hash of the ISO is *not* the sameas including the strong repo hash (commit) that was used to buildthe release and then signing over that and the ISO. We can't knowthat our local repository updates match the master. ports.tar.gzhas no authentication either. Nor does anything in the entire projectthat originates from the current SVN/CVS repo... webpages, docs,tools, source tarballs, etc. The FTP packages aren't signed, andthere are weak MD5's used in various parts of the install/packagetools, mirrors, etc. We can't trade hashes amongst people. It's alljust a bunch of random bits that someone may or may not have signedover. And even if signed they still wouldn't be strongly linkedback to the master repo. Having such a disconnect at the root ofeverything you do is simply not good practice these days.

And these days, Git is what people and projects are moving to, andits rate of adoption and prevalence have essentially won out overall the rest in the new 'revision control 2.0 world'. And knowingGit is now more or less essential if you want to participate in awide variety of community development, ref: github, etc.

The FreeBSD project needs to be providing both itself, and its usersand benefactors with verifiable assurance that its repository, andany copies and derived products, are authentic and intact.

Don't argue against such a repository feature, or the cost to move,or bury your head in the sand by saying it could never happen to us...

Take this as a real opportunity to lead amongst the major opensourceprojects like Linux, and among the BSD's (like DragonFly has), andmove to Git.

Once the root is fixed, you can push out secure distribution andupdate models from there. It all starts at the root and can't bedone without it.

https://www.kernel.org/pub/software/scm/git/docs/git-fsck.htmlVerifies the connectivity and validity of the objects in the database

http://git-scm.com/about/info-assuranceThe data model that Git uses ensures the cryptographic integrityof every bit of your project. Every file and commit is checksummedand retrieved by its checksum when checked back out. It's impossibleto get anything out of Git other than the exact bits you put in.It is also impossible to change any file, date, commit message,or any other data in a Git repository without changing the IDs of

SettingsInfo

New User? Register Sign In Help Make Y! My Homepage Mail My Y! Yahoo!

Search Web

freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]

everything after it. This means that if you have a commit ID, youcan be assured not only that your project is exactly the same aswhen it was committed, but that nothing in its history was changed.

https://en.wikipedia.org/wiki/Git_(software)The Git history is stored in such a way that the id of a particularrevision (a "commit" in Git terms) depends upon the completedevelopment history leading up to that commit. Once it is published,it is not possible to change the old versions without it beingnoticed. The structure is similar to a hash tree, but with additionaldata at the nodes as well as the leaves.

Some references...http://git-scm.com/https://github.com/http://gitweb.dragonflybsd.org/dragonfly.githttps://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git_______________________________________________freebsd-security@... mailing listhttp://lists.freebsd.org/mailman/listinfo/freebsd-securityTo unsubscribe, send any mail to "freebsd-security-unsubscribe@..."

< Prev Next >

Expand Messages Author Sort by Date

FreeBSD needs Git to ensure repo integrity [was: 2012incident] http://www.freebsd.org/news/2012-compromise.htmlhttp://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key This...

grarpampgrarpamp@...

Nov 18, 2012 1:34 am

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] Ð’ Sat, 17 Nov 2012 15:00:06 -0500 ... LOL And how willthis help Linux? http://lwn.net/Articles/457142/_______________________________________________ ...

Ivan Klymenkofidaj@...

Nov 18, 2012 1:35 am

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] [snip] There's a git repository. It's public. You can look atwhat goes into the FreeBSD git clone to get your assurancethat things aren't being snuck in....

Adrian Chaddadrian@...

Nov 18, 2012 5:13 am

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] ... Yup: https://github.com/freebsd/ _______________________________________________freebsd-security@... mailing list ...

Robert Simmonsrsimmons0@...

Nov 18, 2012 5:21 am

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] Hello, Adrian. You wrote 18 ноÑÐ±Ñ€Ñ 2012 г.,8:55:54: AC> There's a git repository. It's public. Youcan look at what goes into AC> the FreeBSD git clone...

Lev Serebryakovlev@...

Nov 18, 2012 10:45 am

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] ... I've always been confused by this. Which source repois the true source of truth? To obtain the FreeBSDsource, you can use CVS, SVN, or Git? Do all have...

Zach Lesliexaque208@...

Nov 20, 2012 3:05 am

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... This changed a few months ago when ports anddoc switched. As of now: - SVN is *the* source oftruth. - CVS is exported from svn. It will eventuallygo...

Eitan Adlerlists@...

Nov 20, 2012 3:28 am

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... Would it be possible to publish FreeBSD'sSubversion repository using HTTPS, instead ofHTTP? -- I FIGHT FOR THE USERS ...

xenophon\+freebsdxenophon+freebsd@...

Nov 20, 2012 9:55 am

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... I don't know how often they update, but themirrors listed at http://www.freebsd.

Gary Palmergpalmer@...

Nov 20, 2012 12:07 pm

freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]

org/doc/handbook/mirrors-svn.html have bothhttp and https available Gary ...

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] On 20 November 2012 04:54, xenophon\+freebsd ... %svn ls https://svn0.us-west.FreeBSD.org/base/ -- Eitan Adler_______________________________________________ ...

Eitan Adlerlists@...

Nov 20, 2012 4:27 pm

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... You will get a certificate warning. Thecertificates used do not appear to be officiallysigned by a recognised CA. The hashes of thecertificate keys...

Gary Palmergpalmer@...

Nov 20, 2012 4:31 pm

Re: FreeBSD needs Git to ensurerepo integrity [was: 2012 incident] ... The certificates are self-signed. Whilstthe hashes are published on the FreeBSDwebsite, that site is only available viaHTTP so there's still a...

Peter Jeremypeter@...

Nov 21, 2012 3:20 am

Re: FreeBSD needs Git to ensurerepo integrity [was: 2012 incident] ... See DANE, RFC 6698. Mark -- MarkAndrews, ISC 1 Seymour St., DundasValley, NSW 2117, Australia PHONE:+61 2 9871 4742 INTERNET:...

Mark Andrewsmarka@...

Nov 21, 2012 3:38 am

Re: FreeBSD needs Git to ensurerepo integrity [was: 2012 incident] ... Which means getting the FreeBSD.orgdomain signed using DNSSEC.Something I'd be very happy to see.Cheers, Matthew -- Dr Matthew JSeaman MA, D.Phil. PGP:...

Matthew Seamanmatthew@...

Nov 21, 2012 12:17 pm

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] ... http://mercurial.selenic.com/about/ -- Sphinx of blackquartz, judge my vow. _______________________________________________ freebsd-security@......

Volodymyr Kostyrkoc.kworr@...

Nov 19, 2012 12:57 pm

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] ... Even if it was BSD licensed, Mercurial has a hugedependency: Python; and Git is Perl-based. So neither ofthem is ideal, IMHO. If at all, we'd need a lean...

C. P. Ghostcpghost@...

Nov 19, 2012 1:29 pm

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... http://mercurial.selenic.com/wiki/Licensehttp://selenic.com/hg/file/tip/COPYINGhttp://mercurial.selenic.com/about/ "Mercurial isfree software licensed...

Mehmet Erol Sanliturkm.e.sanliturk@...

Nov 19, 2012 1:29 pm

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] http://www.fossil-scm.org/ I'm not fossil user, butit's BSD licensed in written in C. Baptise Daroussinprobably could tell us more about fossil pro andcons....

Alexander Yerenkowyerenkow@...

Nov 19, 2012 1:58 pm

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... This misses one of of the main points raisedin the original post. The proliferation of git as arevision control system. Also, this particular toolbails...

Zach Lesliexaque208@...

Nov 20, 2012 3:08 am

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... I would argue that git bails on that as well,but that's a different discussion. Whether ornot fossil does "one thing" depends on which"one thing" you...

Mike Meyermwm@...

Nov 20, 2012 11:48 am

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... Look at the internal of fossil and howthings are done in fossil and you wouldunderstand that the last sentence is totally

Baptiste Daroussinbapt@...

Nov 21, 2012 2:17 am

freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]

wrong. Fossil has really nice...

Re: FreeBSD needs Git to ensure repointegrity [was: 2012 incident] ... Nope, git is almost all C even though some othertools relying on git are in Perl. ... We don't have svn inbase either. Your point? -- Ollivier ROBERT...

Ollivier Robertroberto@...

Nov 19, 2012 1:43 pm

Re: FreeBSD needs Git to ensure repo integrity[was: 2012 incident] ... http://selenic.com/repo/hg/file/fd903f89e42bhttp://selenic.com/repo/hg/file/fd903f89e42b/COPYING "GNU GENERAL PUBLIC LICENSE ...

Mehmet Erol Sanliturkm.e.sanliturk@...

Nov 19, 2012 1:17 pm

Re: FreeBSD needs Git to ensure repo integrity ... FUD. Committer accounts don't have direct access to therepo. DES -- Dag-Erling Smørgrav - des@..._______________________________________________ ...

Dag-Erling Smørgravdes@...

Nov 25, 2012 9:14 pm

< Prev Topic | Next Topic >

Copyright © 2010 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service - Guidelines NEW - Help