Software manager a threat to security?

Questions about applications and software
Forum rules
Before you post please read this

Software manager a threat to security?

Postby alanmoore on Fri Sep 10, 2010 3:28 pm

Hi, guys! I know close to zero about this particular problem, as I have not tested LM Debian yet, but I think it might be of interest to the Mint team. Today, I read a good review about LMDE.

http://desktoplinuxreviews.com/2010/09/07/linux-mint-9-debian

One of the comments, by Brian Masinick, however, stated this:

I was dismayed to see that, once again, the Mint software management programs are unable to cope with package authentication keys. I explicitly checked and enabled all of the Debian related keys and used apt-get instead of the good looking (but under-protective) package management tools, and then had the results I was looking for. I say this and it disturbs me because the typical audience for Mint isn’t going to know anything about package keys, and won’t see or know what they are missing, especially since the Mint tools silence those kinds of messages. If that doesn’t bother you, then ignore me, but I think it bears repeating because not many people know about the issue. Package authentication keys are safeguards against having felonious packages substituted for packages in the system. Mint takes safeguards, I am sure, but even the much heralded Debian project has been compromised in the past, so don’t be too smug or secure in thinking it couldn’t happen again. It could, so that’s why I am issuing the warning.


In another comment, the same user writes the following:

I don’t like the Mint handling of packages using their GUI based tools that Jim likes so much. They are simple, but they hide and obscure the fact that the package signatures are missing on a lot of packages.

Turns out that at least on the Debian side, you CAN install the package signature keys. I did that, grabbing them from the Debian repository. Once I did that, I manually installed some stuff using apt-get and then it worked the way that I want it to work. The way that Mint ships it is fundamentally insecure, and leaves them wide open to package attacks. They’d better lock down their repos like a fort. Debian thought they were so tightly and carefully controlled, but in the decade that I’ve used Debian, they’ve had their servers attacked two or three times. Debian was right on top of it, but the intruders did get in. Perhaps Mint will be on top of things too. It’s just that since package keys are widely available and Debian has them, Mint ought to enable them. The reason they don’t seems to be that their Software Manager can’t handle them properly. The Mint guys don’t know how to set the package priorities to prefer their packages (which may have fixes that they’ve implemented) over the upstream packages – at least that was the claimed problem when using Ubuntu repositories. Mint developers have not (at least not yet) fixed this issue even though Debian has great keys and excellent authentication.


And, later, he continues:

I used apt-cache search keyring | more
to find stuff like this. One file you want to make sure is installed is debian-archive-keyring – GnuPG archive keys of the Debian archive. If you use multimedia, make sure that debian-multimedia-keyring is included. Any other repositories that are included need to have their corresponding keyring installed, otherwise packages for that repository have no check to ensure their authenticity.


Since I am still a newbie and know very little about the internals of APT, could you please guys, for the sake of clarity, tell us, Mint users, if this is something we should be worried about?

Thank you very much.
alanmoore
Level 1
Level 1
 
Posts: 14
Joined: Sun Oct 18, 2009 9:19 am

Linux Mint is funded by ads and donations.
 

Re: Software manager a threat to security?

Postby skwrl on Thu Sep 16, 2010 2:22 pm

Hear hear, well put.

I too am looking forward to some clarification from the good folks at Linux Mint on this issue. I'm not a Debian package security expert either, but when I've run Debian, they tend to discourage installing unauthenticated packages.

I'm using it as a motivator to teach myself more about Debian package security, starting here:

http://wiki.debian.org/SecureApt
there was an article on Package Authentication in the Sept. "Linux Pro Magazine", but I can't readily find it online.

Dave
skwrl
Level 1
Level 1
 
Posts: 2
Joined: Tue Sep 14, 2010 10:27 pm

Re: Software manager a threat to security?

Postby alanmoore on Tue Sep 21, 2010 11:37 am

It looks like Clem and the Mint team were aware of this and have already given a response:

http://www.linuxmint.com/blog/?p=1543
alanmoore
Level 1
Level 1
 
Posts: 14
Joined: Sun Oct 18, 2009 9:19 am


Return to Software & Applications

Who is online

Users browsing this forum: benjie1, Google Adsense [Bot] and 27 guests