Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150403190229.GA15416@hunt>
Date: Fri, 3 Apr 2015 12:02:29 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: membership request  to the closed linux-distros
 security mailing list

On Fri, Apr 03, 2015 at 01:09:39AM -0400, Daniel Micay wrote:
> I guess Ubuntu has to be dropped from the linux-distros then, because
> www.ubuntu.com appears to be http-only and the ISO download is entirely
> insecure.

Ubuntu ISO downloads come alongside signed SHA256SUMs files:
http://mirror.pnl.gov/releases/14.10/SHA256SUMS
http://mirror.pnl.gov/releases/14.10/SHA256SUMS.gpg

Granted, determining if the hashes was signed by a legitimate key is
difficult to bootstrap, and our website currently doesn't help. As a
result of Kurt's recent discussion about Kali Linux, and simultaneous
prompting by Douglass Clem, I have asked our web team to make the ISO
signing keys more prominently available on our website than just mentioned
on one wiki page.

> The security notices are also served insecurely there:
> 
> http://www.ubuntu.com/usn/

The security advisories we send via email are gpg signed:
https://lists.ubuntu.com/archives/ubuntu-security-announce/

In addition, the mechanism we suggest our users should use to apply
updates -- apt-get update && apt-get dist-upgrade, or the graphical
equivalent -- provides for full trust path validation automatically. The
advisories are simply additional information for the curious. Our users
can freely ignore our mailed and posted advisories if they wish.

I raised my concerns about Enea's advisories largely because it appeared
that their recommended mechanism of acquiring and installing updates
is entirely unvalidated from end to end. If they are also using an
authenticated tool like up2date, yum, apt-get, apt-rpm, zypper, pacman,
pkgsrc, or git with signed tags or otherwise authenticated tags, as the
actual mechanism users should use to download updates, then they should
recommend using that tool in their advisories.

> Am I missing something... ? It doesn't make much sense to criticize this
> when you folks are doing the same. I do get the impression that Enea
> Linux is handling security poorly (where are all of the other issues?)
> but this bothered me.

Funny, I didn't worry too much about how fee issues they've addressed:
I don't know what packages they ship, nor the threat models their users
may have with their systems.

Please don't hesitate to share any other concerns with Ubuntu's security
practices.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.