I set up a (virtual) machine here at work as a local mirror of ca.archive.ubuntu.com, and was trying to change the VLAN it was on. Security got involved and sent me this:
How much testing and vetting of these patches is being performed? I have reservations about placing a server that is downloading open source code over a non-secured connection and allowing it to redistribute said code to basically anything in the Infranet.
What assurances can be provided as to the validity and integrity of the downloaded patches?
I responded that the process is valid and secure, just like Microsoft WSUS servers. I couldn't find any HTTPS mirrors, so I expect that man-in-the-middle attacks aren't worth guarding against. Security responded with:
Is the downloading and validation process done manually, or is the on-site mirror server performing this automatically without user intervention?
And the cryptographic signatures you describe, are you referring to MD5 or sha-1 hashes?
The packages themselves have MD5, SHA1 and SHA256 hashes, and the repositories are signed with PGP keys. And the latest (is he coming around?):
Thank you for the informative links Kevin.
From the apt-secure man
If a package comes from a archive without a signature or with a signature that apt does not have a key for that package is considered untrusted and installing it will result in a big warning. apt-get will currently only warn for unsigned archives, future releases might force all sources to be verified before downloading packages from them.
How is our implementation setup? Only providing a warning that a package signature could not be verified is worrisome. The entire process also revolves around the complete trust of not only the archives but the entire GnuPG system including the debain-keyrings (which of course closely equate to numerous certificate authorities in the SSL world).
As for more of a focus on proper network placement, can you offer up any expected bandwidth numbers not only from the mirror to the Internet, but between all of the servers and the mirror? I'm not looking for exact science here but a rough estimate will allow me to balance performance concerns with those I have as to the security posture of the entire setup.
That's the story so far. I just wanted to share this with all y'all.
Kevin
As with all things in the field of security, it's about striking a balance.
It's good (and surprising actually) that you have a system admin smart enough to ask those questions. Those are always good things to consider before doing an implementation.
However, if the end result is that your denied the ability to install patches, then to me that does not strike a very good balance. The patching process for any of the main-stream distros has plenty of safeguards in place but like anything, it's not infallible. Of course that's not unique to opensource. Any operating system is vulnerable.
To my way of thinking the risk of compromise through patching is far less than the risk of compromise by _not_ patching.
I don't know ubuntu all that well but I'm certain that the default is to fail if the signatures on the files are wrong so automated patching should not be a security issue.
-
John Lange -
Kevin McGregor