1. freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]
freebsd-security
Options
Home
Messages
Attachments
Members Only
Post
Files
Photos
Links
Database
Polls
Calendar
Promote
The Yahoo! Groups
Product Blog
Check it out!
Group Information
Members: 17
Founded: Aug 7, 1998
Language: English
Already a member?
Sign in to Yahoo!
Yahoo! Groups Tips
Did you know...
Message search is now
enhanced, find
messages faster. Take it
for a spin.
MessagesMessage # Search: Advanced Messages Help
Topic List < Prev Topic | Next Topic >
FreeBSD needs Git to ensure repo integrity [was: 2012
incident] < Prev Next >
Posted By: Sat Nov 17, 2012 8:00 pm |
http://www.freebsd.org/news/2012-compromise.html
http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-
breach-via-stolen-ssh-key
This is not about this incident, but about why major opensource
projects need to be using a repository that has traceable, verifiable,
built-in cryptographic authentication.
Any of hundreds of committer and admin accounts could be compromised
with the attacker silently editing the repo. The same applies to
any of those accounts going rogue. Backtrack diffing from a breach
to 'see what changed' is not the ideal option. You really need to
be using a strong repo so that any attack on it is null from the
start. Another problem is bit rot wherever it may occur... disk,
hardware, the wire, EMP and other systems.
As it is now, we have no way to verify that what we get on pressed
CD's, ISO's, FTP sites, torrents, etc is strongly linked back to
the original repo. Signing over a hash of the ISO is *not* the same
as including the strong repo hash (commit) that was used to build
the release and then signing over that and the ISO. We can't know
that our local repository updates match the master. ports.tar.gz
has no authentication either. Nor does anything in the entire project
that originates from the current SVN/CVS repo... webpages, docs,
tools, source tarballs, etc. The FTP packages aren't signed, and
there are weak MD5's used in various parts of the install/package
tools, mirrors, etc. We can't trade hashes amongst people. It's all
just a bunch of random bits that someone may or may not have signed
over. And even if signed they still wouldn't be strongly linked
back to the master repo. Having such a disconnect at the root of
everything you do is simply not good practice these days.
And these days, Git is what people and projects are moving to, and
its rate of adoption and prevalence have essentially won out over
all the rest in the new 'revision control 2.0 world'. And knowing
Git is now more or less essential if you want to participate in a
wide variety of community development, ref: github, etc.
The FreeBSD project needs to be providing both itself, and its users
and benefactors with verifiable assurance that its repository, and
any copies and derived products, are authentic and intact.
Don't argue against such a repository feature, or the cost to move,
or bury your head in the sand by saying it could never happen to us...
Take this as a real opportunity to lead amongst the major opensource
projects like Linux, and among the BSD's (like DragonFly has), and
move to Git.
Once the root is fixed, you can push out secure distribution and
update models from there. It all starts at the root and can't be
done without it.
https://www.kernel.org/pub/software/scm/git/docs/git-fsck.html
Verifies the connectivity and validity of the objects in the database
http://git-scm.com/about/info-assurance
The data model that Git uses ensures the cryptographic integrity
of every bit of your project. Every file and commit is checksummed
and retrieved by its checksum when checked back out. It's impossible
to get anything out of Git other than the exact bits you put in.
It is also impossible to change any file, date, commit message,
or any other data in a Git repository without changing the IDs of
SettingsInfo
New User? Register Sign In Help Make Y! My Homepage Mail My Y! Yahoo!
Search Web
Go Search
Reply
Search Search Web
2. freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]
everything after it. This means that if you have a commit ID, you
can be assured not only that your project is exactly the same as
when it was committed, but that nothing in its history was changed.
https://en.wikipedia.org/wiki/Git_(software)
The Git history is stored in such a way that the id of a particular
revision (a "commit" in Git terms) depends upon the complete
development history leading up to that commit. Once it is published,
it is not possible to change the old versions without it being
noticed. The structure is similar to a hash tree, but with additional
data at the nodes as well as the leaves.
Some references...
http://git-scm.com/
https://github.com/
http://gitweb.dragonflybsd.org/dragonfly.git
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git
_______________________________________________
freebsd-security@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
< Prev Next >
Expand Messages Author Sort by Date
FreeBSD needs Git to ensure repo integrity [was: 2012
incident]
http://www.freebsd.org/news/2012-compromise.html
http://it.slashdot.org/story/12/11/17/143219/freebsd-project-
discloses-security-breach-via-stolen-ssh-key This...
grarpamp
grarpamp@...
Nov 18, 2012
1:34 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
Ð’ Sat, 17 Nov 2012 15:00:06 -0500 ... LOL And how will
this help Linux? http://lwn.net/Articles/457142/
_______________________________________
________ ...
Ivan Klymenko
fidaj@...
Nov 18, 2012
1:35 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
[snip] There's a git repository. It's public. You can look at
what goes into the FreeBSD git clone to get your assurance
that things aren't being snuck in....
Adrian Chadd
adrian@...
Nov 18, 2012
5:13 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... Yup: https://github.com/freebsd/ ____________
___________________________________
freebsd-security@... mailing list ...
Robert Simmons
rsimmons0@...
Nov 18, 2012
5:21 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
Hello, Adrian. You wrote 18 ноÑÐ±Ñ€Ñ 2012 г.,
8:55:54: AC> There's a git repository. It's public. You
can look at what goes into AC> the FreeBSD git clone...
Lev Serebryakov
lev@...
Nov 18, 2012
10:45 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... I've always been confused by this. Which source repo
is the true source of truth? To obtain the FreeBSD
source, you can use CVS, SVN, or Git? Do all have...
Zach Leslie
xaque208@...
Nov 20, 2012
3:05 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... This changed a few months ago when ports and
doc switched. As of now: - SVN is *the* source of
truth. - CVS is exported from svn. It will eventually
go...
Eitan Adler
lists@...
Nov 20, 2012
3:28 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... Would it be possible to publish FreeBSD's
Subversion repository using HTTPS, instead of
HTTP? -- I FIGHT FOR THE USERS ...
xenophon+freebsd
xenophon+freebsd@...
Nov 20, 2012
9:55 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... I don't know how often they update, but the
mirrors listed at http://www.freebsd.
Gary Palmer
gpalmer@...
Nov 20, 2012
12:07 pm
Reply
3. freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]
org/doc/handbook/mirrors-svn.html have both
http and https available Gary ...
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
On 20 November 2012 04:54, xenophon
+freebsd ... %svn ls https://svn0.us-
west.FreeBSD.org/base/ -- Eitan Adler
______________________________
_________________ ...
Eitan Adler
lists@...
Nov 20, 2012
4:27 pm
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... You will get a certificate warning. The
certificates used do not appear to be officially
signed by a recognised CA. The hashes of the
certificate keys...
Gary Palmer
gpalmer@...
Nov 20, 2012
4:31 pm
Re: FreeBSD needs Git to ensure
repo integrity [was: 2012 incident]
... The certificates are self-signed. Whilst
the hashes are published on the FreeBSD
website, that site is only available via
HTTP so there's still a...
Peter Jeremy
peter@...
Nov 21, 2012
3:20 am
Re: FreeBSD needs Git to ensure
repo integrity [was: 2012 incident]
... See DANE, RFC 6698. Mark -- Mark
Andrews, ISC 1 Seymour St., Dundas
Valley, NSW 2117, Australia PHONE:
+61 2 9871 4742 INTERNET:...
Mark Andrews
marka@...
Nov 21, 2012
3:38 am
Re: FreeBSD needs Git to ensure
repo integrity [was: 2012 incident]
... Which means getting the FreeBSD.org
domain signed using DNSSEC.
Something I'd be very happy to see.
Cheers, Matthew -- Dr Matthew J
Seaman MA, D.Phil. PGP:...
Matthew Seaman
matthew@...
Nov 21, 2012
12:17 pm
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... http://mercurial.selenic.com/about/ -- Sphinx of black
quartz, judge my vow. _____________________
__________________________ freebsd-
security@......
Volodymyr Kostyrko
c.kworr@...
Nov 19, 2012
12:57 pm
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... Even if it was BSD licensed, Mercurial has a huge
dependency: Python; and Git is Perl-based. So neither of
them is ideal, IMHO. If at all, we'd need a lean...
C. P. Ghost
cpghost@...
Nov 19, 2012
1:29 pm
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... http://mercurial.selenic.com/wiki/License
http://selenic.com/hg/file/tip/COPYING
http://mercurial.selenic.com/about/ "Mercurial is
free software licensed...
Mehmet Erol Sanliturk
m.e.sanliturk@...
Nov 19, 2012
1:29 pm
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
http://www.fossil-scm.org/ I'm not fossil user, but
it's BSD licensed in written in C. Baptise Daroussin
probably could tell us more about fossil pro and
cons....
Alexander Yerenkow
yerenkow@...
Nov 19, 2012
1:58 pm
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... This misses one of of the main points raised
in the original post. The proliferation of git as a
revision control system. Also, this particular tool
bails...
Zach Leslie
xaque208@...
Nov 20, 2012
3:08 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... I would argue that git bails on that as well,
but that's a different discussion. Whether or
not fossil does "one thing" depends on which
"one thing" you...
Mike Meyer
mwm@...
Nov 20, 2012
11:48 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... Look at the internal of fossil and how
things are done in fossil and you would
understand that the last sentence is totally
Baptiste Daroussin
bapt@...
Nov 21, 2012
2:17 am
![freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]
freebsd-security
Options
Home
Messages
Attachments
Members Only
Post
Files
Photos
Links
Database
Polls
Calendar
Promote
The Yahoo! Groups
Product Blog
Check it out!
Group Information
Members: 17
Founded: Aug 7, 1998
Language: English
Already a member?
Sign in to Yahoo!
Yahoo! Groups Tips
Did you know...
Message search is now
enhanced, find
messages faster. Take it
for a spin.
MessagesMessage # Search: Advanced Messages Help
Topic List < Prev Topic | Next Topic >
FreeBSD needs Git to ensure repo integrity [was: 2012
incident] < Prev Next >
Posted By: Sat Nov 17, 2012 8:00 pm |
http://www.freebsd.org/news/2012-compromise.html
http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-
breach-via-stolen-ssh-key
This is not about this incident, but about why major opensource
projects need to be using a repository that has traceable, verifiable,
built-in cryptographic authentication.
Any of hundreds of committer and admin accounts could be compromised
with the attacker silently editing the repo. The same applies to
any of those accounts going rogue. Backtrack diffing from a breach
to 'see what changed' is not the ideal option. You really need to
be using a strong repo so that any attack on it is null from the
start. Another problem is bit rot wherever it may occur... disk,
hardware, the wire, EMP and other systems.
As it is now, we have no way to verify that what we get on pressed
CD's, ISO's, FTP sites, torrents, etc is strongly linked back to
the original repo. Signing over a hash of the ISO is *not* the same
as including the strong repo hash (commit) that was used to build
the release and then signing over that and the ISO. We can't know
that our local repository updates match the master. ports.tar.gz
has no authentication either. Nor does anything in the entire project
that originates from the current SVN/CVS repo... webpages, docs,
tools, source tarballs, etc. The FTP packages aren't signed, and
there are weak MD5's used in various parts of the install/package
tools, mirrors, etc. We can't trade hashes amongst people. It's all
just a bunch of random bits that someone may or may not have signed
over. And even if signed they still wouldn't be strongly linked
back to the master repo. Having such a disconnect at the root of
everything you do is simply not good practice these days.
And these days, Git is what people and projects are moving to, and
its rate of adoption and prevalence have essentially won out over
all the rest in the new 'revision control 2.0 world'. And knowing
Git is now more or less essential if you want to participate in a
wide variety of community development, ref: github, etc.
The FreeBSD project needs to be providing both itself, and its users
and benefactors with verifiable assurance that its repository, and
any copies and derived products, are authentic and intact.
Don't argue against such a repository feature, or the cost to move,
or bury your head in the sand by saying it could never happen to us...
Take this as a real opportunity to lead amongst the major opensource
projects like Linux, and among the BSD's (like DragonFly has), and
move to Git.
Once the root is fixed, you can push out secure distribution and
update models from there. It all starts at the root and can't be
done without it.
https://www.kernel.org/pub/software/scm/git/docs/git-fsck.html
Verifies the connectivity and validity of the objects in the database
http://git-scm.com/about/info-assurance
The data model that Git uses ensures the cryptographic integrity
of every bit of your project. Every file and commit is checksummed
and retrieved by its checksum when checked back out. It's impossible
to get anything out of Git other than the exact bits you put in.
It is also impossible to change any file, date, commit message,
or any other data in a Git repository without changing the IDs of
SettingsInfo
New User? Register Sign In Help Make Y! My Homepage Mail My Y! Yahoo!
Search Web
Go Search
Reply
Search Search Web](https://image.slidesharecdn.com/freebsd-security-message-freebsdneedsgittoensurerepointegritywas-2012incident-130624084501-phpapp01/85/Freebsd-security-message-free-bsd-needs-git-to-ensure-repo-integrity-was-2012-incident-1-320.jpg)
![freebsd-security : Message: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
http://groups.yahoo.com/group/freebsd-security/message/28708[6/24/13 9:38:10 AM]
everything after it. This means that if you have a commit ID, you
can be assured not only that your project is exactly the same as
when it was committed, but that nothing in its history was changed.
https://en.wikipedia.org/wiki/Git_(software)
The Git history is stored in such a way that the id of a particular
revision (a "commit" in Git terms) depends upon the complete
development history leading up to that commit. Once it is published,
it is not possible to change the old versions without it being
noticed. The structure is similar to a hash tree, but with additional
data at the nodes as well as the leaves.
Some references...
http://git-scm.com/
https://github.com/
http://gitweb.dragonflybsd.org/dragonfly.git
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git
_______________________________________________
freebsd-security@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
< Prev Next >
Expand Messages Author Sort by Date
FreeBSD needs Git to ensure repo integrity [was: 2012
incident]
http://www.freebsd.org/news/2012-compromise.html
http://it.slashdot.org/story/12/11/17/143219/freebsd-project-
discloses-security-breach-via-stolen-ssh-key This...
grarpamp
grarpamp@...
Nov 18, 2012
1:34 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
Ð’ Sat, 17 Nov 2012 15:00:06 -0500 ... LOL And how will
this help Linux? http://lwn.net/Articles/457142/
_______________________________________
________ ...
Ivan Klymenko
fidaj@...
Nov 18, 2012
1:35 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
[snip] There's a git repository. It's public. You can look at
what goes into the FreeBSD git clone to get your assurance
that things aren't being snuck in....
Adrian Chadd
adrian@...
Nov 18, 2012
5:13 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... Yup: https://github.com/freebsd/ ____________
___________________________________
freebsd-security@... mailing list ...
Robert Simmons
rsimmons0@...
Nov 18, 2012
5:21 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
Hello, Adrian. You wrote 18 ноÑÐ±Ñ€Ñ 2012 г.,
8:55:54: AC> There's a git repository. It's public. You
can look at what goes into AC> the FreeBSD git clone...
Lev Serebryakov
lev@...
Nov 18, 2012
10:45 am
Re: FreeBSD needs Git to ensure repo integrity
[was: 2012 incident]
... I've always been confused by this. Which source repo
is the true source of truth? To obtain the FreeBSD
source, you can use CVS, SVN, or Git? Do all have...
Zach Leslie
xaque208@...
Nov 20, 2012
3:05 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... This changed a few months ago when ports and
doc switched. As of now: - SVN is *the* source of
truth. - CVS is exported from svn. It will eventually
go...
Eitan Adler
lists@...
Nov 20, 2012
3:28 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... Would it be possible to publish FreeBSD's
Subversion repository using HTTPS, instead of
HTTP? -- I FIGHT FOR THE USERS ...
xenophon+freebsd
xenophon+freebsd@...
Nov 20, 2012
9:55 am
Re: FreeBSD needs Git to ensure repo
integrity [was: 2012 incident]
... I don't know how often they update, but the
mirrors listed at http://www.freebsd.
Gary Palmer
gpalmer@...
Nov 20, 2012
12:07 pm
Reply](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)