Rich Freeman via plug on 27 Dec 2022 14:48:01 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Possible Break in on Arch Linux Systems:


On Tue, Dec 27, 2022 at 5:30 PM Rich Mingin (PLUG) via plug
<plug@lists.phillylinux.org> wrote:
>
> Seems normal. Good to be vigilant, but so far nothing to see here.
>

Two comments: one arch-specific, one general.

Arch seems to have individual developers sign their packages, and that
is the key that the package manager uses to validate integrity.  This
means that every time a dev joins/leaves their project or updates
their personal key anybody who uses arch needs to update their
keyring.  Most distros tend to do that sort of thing internally, but
then some release server validates this and then adds a distro-level
signature, and the key for that rarely changes, which is why on most
distros you don't see that kind of churn.  For example, on Gentoo
developers sign everything themselves, and if you look at the Gentoo
git repo you'll see a ton of individual dev keys used.  Then the CI
server grabs the top master commit, does a validation of all
signatures vs the internal LDAP records of what keys everybody is
supposed to be using, checking all commits since the last validation
cycle.  If everything is good it applies a merge commit and signature
on top of the branch, and then pushes that to a stable branch that is
used for syncing.  The result is that the top commit is always signed
by the distro key and this is what is checked when the package manager
does a sync on an end-user system.

You could argue that using individual dev keys shields you from a
distro-level compromise, but instead the compromise of any dev key is
exposed to the user until their keychain is updated, and now users
have to stay on top of every dev key.  Of course the arch way is
probably simpler - their repo can just be a repo, though since it is a
binary distro I imagine they still have build servers to build
official packages (an issue Gentoo does not have - our CI just does
quality checks).

Then the general comment: if you really think that a distro might be
compromised you might do better to ask the devs of that distro.
They're going to be most familiar with what is or isn't expected
behavior on that distro, and of course if they are compromised they
would greatly appreciate knowing about it ASAP.  Such a thing tends to
be unlikely because most distros take this stuff seriously and try to
safeguard against it.  I get though that the Arch keyring behavior
could be unexpected if you have experience in some other distro.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug