[TriLUG] The sad state of sysadmin in the age of containers

Fri Mar 13 14:17:02 EDT 2015

On Fri, Mar 13, 2015 at 01:53:01PM -0400, Igor Partola via TriLUG wrote:
> Ah, well there's the real issue then. I really don't see Puppet as
> something evil...Blaming puppet for these security problems is...

Straw man argument. This isn't about Puppet, or any one package, but the bigger
picture.

> Now, onto the real problem: HTTP and lack of signatures. HTTP is easy to
> fix: it needs to die. We should all move to HTTPS, and this summer most
> sites will (see https://letsencrypt.org/). 

Yes! but, more below...

> The second part is much tricker: signing code. Whose signatures do you
> trust? How do you know that the person isn't doing something nefarious? Or
> one of their collaborators? For example, I publish a number of open source
> libraries and projects on GitHub. You can download them there, and I can
> even personally send you a signed tarball using my private PGP key. You can
> be 100% sure that the code comes from me. But that doesn't tell you whether
> the code contains a backdoor or not. Without reading any source code you
> won't know it, and most people do not read 100% of the code they use
> (indeed, it would take ages to do it, and every update would mean that it
> becomes necessary to do it again).

Agreed. 

> In other words, you have to trust me personally, if you want to use my
> code. My signature on it is necessary, but not sufficient to ensure you
> aren't downloading a backdoor. This is why distro-independent repositories
> (such as PyPI) don't require authors to sign their packages: it doesn't
> matter. The download is secured since it comes via HTTPS, but whether it
> comes from author A or B is often not an issue: you as the user of the
> package cannot tell them apart anyways.

HTTPS isn't a panacea. The CA system has lots of problems and shouldn't be
relied on exclusively. I do agree, though, it's a good layer of defense. It
just shouldn't be the only one.

> So why do distros use signed packages, while lots of other sources don't?
> The answer is that it's a good idea and distros have the resources to read
> all the code. Moreover, they place huge time constraints on publishing the
> package. It will take months or years for a new package to appear in
> Debian. It will take days or weeks for an update to make it in. PyPI and
> the like don't do this: updates are instant. This gives more authors the
> freedom to publish source and binary packages, at the cost of security.
> Seems like a bad tradeoff, until you try using both methods and see just
> how slow publishing a package for a distro is. As the author of the
> software, I don't want to wait years, especially since I'm likely trying to
> use the software right away.

Signing and rolling releases aren't mutually exclusive. It's perfectly
reasonable to expect an upstream developer to sign releases with each new
version. This isn't difficult, and not hard for a downstream packager to check.

This to me is about defense in depth. Trust chains can exist without reading code,
and are a good layer of defense.

Reading the code is another layer of defense, for sure, although may only be
something a package maintainer (hopefully!) has time for.

> Having said all that, any time you see a situation where code is downloaded
> over HTTP and without a signature, shame the involved parties publicly!

Totally agree!