[Fwd: Re: How secure is Preupgrade? Answer: Not.]

[max]

Björn Persson wrote:
> Will Woods wrote:
>> Preupgrade is currently designed to be exactly as secure as an anaconda
>> http install. No less, no more.
> 
> But it's not being marketed as an alternative to an Anaconda HTTP install with 
> less downtime as the only improvement. It's being marketed as a safer 
> alternative to a live upgrade with Yum, and as a faster, more convenient and 
> less bandwidth-wasting alternative to downloading and burning DVD images. See 
> this article for example:
> 
> http://www.redhatmagazine.com/2008/04/15/interview-fedora-developers-seth-vidal-and-will-woods/
> 
> The article talks a lot about how Preupgrade is better than both a Yum upgrade 
> and a DVD-based upgrade, but says very little about network-based Anaconda 
> upgrades, and it's completely silent about the security aspect. Here's a 
> quote from the article:
> 
> "So you can upgrade with the convenience and bandwidth savings of a live 
> upgrade, but without the risky craziness inherent therein."
> 
> Yeah, it avoids the risky craziness inherent in a Yum upgrade but adds instead 
> the crazy riskiness inherent in an HTTP-based Anaconda upgrade. That's no 
> improvement in my book. No matter what the risks with a Yum upgrade are, 
> getting intruders in my computer is worse.
> 
>> Nothing's *missing*. There just aren't any signatures to check for the
>> boot images, and there never have been.
> 
> For several years now, all my boot images have been included in ISO images. 
> Those ISO images have been accompanied by checksum files, and those checksum 
> files have been cryptographically signed. I always verify the signature and 
> the checksums, and when they're verified correctly I know that all the files 
> in the ISO image are clean, including the boot images.
> 
> Generating detached signatures for the boot images and putting them in the 
> directory where the images are published would take at most five minutes of 
> manual work for each release.
> 
>> Furthermore anaconda doesn't check the gpg signatures of packages it
>> downloads and installs during http installs. Never has. That's bug #998.
>> (Yes, #998. Not a typo. See https://bugzilla.redhat.com/998)
> 
> Would you like to guess why I never do network-based installs except from my 
> own server directly attached with a crossover cable?
> 
> Björn Persson
> 
First my thanks to Bjorn for taking the time to start this discussion. 
Then my piece, after which I will try like hell to leave this alone.
I am glad at least that the "preupgrade is still in testing" argument 
was never brought up or the "your automatically a guinea pig if you get 
things from the testing repo". All that aside I for one feel that if the 
Fedora Community is going to continue to thrive and grow then security 
has to be dealt with openly. I have in the past tried to broach the 
security issue without much success. Everyone is afraid to talk about 
it, instead I have seen suggestions, from some, that these things 
shouldn't be discussed openly for fear that crackers will get ideas. 
Security by obscurity is not real security, its just purposely pulling 
the wool over your own eyes. If the time isn't taken to properly 
consider these things in the planning phase then what are the odds that 
it will ever be dealt with properly? Who will you blame when your box 
gets compromised? How many will look in the mirror first when the time 
comes? How many of us have the stones to that honest with ourselves? A 
while back I posted a link to an article that I found while going over 
Dan Walsh's live journal, it was titled : The Six Dumbest Ideas in 
Computer Security. The article is itself a few years old and most of the 
dumb ideas much older than that, frankly I am surprised by how many of 
these dumb ideas are still around , not necessarily among the Fedora 
Community specifically but out there where I work, amongst these small 
businesses that I do work for on occassion, most especially but not 
surprisingly amongst the home pc users, largely running M$ sure but even 
so I have seen this ignorance extend to system admins with many years of 
experience. People seem to just put their security in the hands of some 
software engineer they have never met and accept whatever half baked 
piece of crap gets marketed from week to week. I wonder what it says 
about a community that the issue cannot be raised without it 
degenerating in to some mindless flame war, that a positive and useful 
discussion cannot take place on the bleeding edge of software amongst a 
community that is supposed to be leading the way for FOSS. I've said my 
piece, torch me in effigy if you must, start lobbing the flame grenades 
at me if you need a target, blame me if you like for all the ills of the 
world, it ultimately won't change the fact that many of us shirk our 
responsibilty to Fedora and Redhat.
I have an operating system, completely free, it costs me nothing. All i 
hear is whining about the video drivers, pulseaudio. "I am going to 
Ubuntu" because i can't get my palm pilot to work or my mp3 codec isn't 
included. There is always my personal favorite "I am turning SELinux 
off, its too hard, it sucks, my flash doesn't work". The Adobe flash is 
a gaping security hole in every computer across this planet and people 
line up to get screwed by it. We've been given a gift, a precious thing, 
the freedom to define our experience and instead of helping improve it 
all we do is complain that it doesn't measure up to our broken standard.

-- 
On the eighth day he said "There shall be no rest for the weary."

On the ninth day he farted, and it smelled like sulphur ;^)