[oi-dev] Fwd: [oi-infra] distribution integrity measures

Bayard Bell buffer.g.overflow at googlemail.com
Thu Apr 28 16:35:43 UTC 2011


Quick word about me: I've worked previously in Unix security for a financial services multinational. I'm an MSc candidate in Computer Security and Forensics and will be working for Illumos SoC on IKE this summer.

I'm happy to help sort this out.

Cheers,
Bayard

Begin forwarded message:

> From: Alasdair Lumsden <alasdairrr at gmail.com>
> Date: 28 April 2011 12:20:03 GMT+01:00
> To: OpenIndiana Infrastructure mailing list <oi-infra at openindiana.org>
> Subject: Re: [oi-infra] distribution integrity measures
> 
> Hi Bayard,
> 
> Probably not - OI Infra is for those people looking after the server instances, of which there aren't that many people at present.
> 
> I'd recommend re-posting to oi-dev!
> 
> Cheers,
> 
> Alasdair
> 
> On 28 Apr 2011, at 10:39, Bayard Bell wrote:
> 
>> Have I contacted the right list for this question?
>> 
>> On 23 Apr 2011, at 15:41, Bayard Bell <buffer.g.overflow at googlemail.com> wrote:
>> 
>>> I've been getting up to speed on OpenIndiana/Illumos, and one of things that's struck me so far is what I take to be gaps in distribution integrity measures. I thought I'd start with oi-infra rather than oi-discuss, as this list seems to have more direct ownership. This is a first post, so please forgive me if this isn't the right forum.
>>> 
>>> What I've noticed is a number of variations on the basic problem that there are quite a lot of opportunities to MITM downstream consumers via name-service based attacks or, what is rather less of a risk, session hijacking, creating risks of arbitrary content injection. My recollection is that OpenSolaris signed packages and made extensive use of ssh keys to provide mitigations, and there don't appear to be equivalent measures in OpenIndiana release or package distribution and source mirrors, many of which provide neither transport security nor signing. (Just to summarise what I see: OpenIndiana packages aren't signed, the OpenIndiana mirror of the Illumos source is only available by plain http, mirrors seem to rsync unsigned content without transport security, and the checksums for the distribution ISOs are only available by plain http.)
>>> 
>>> My question is more or less whether this is a known and accepted risk that reflects where the project is in coming up to speed or something more of an oversight.
>>> 
>>> Cheers,
>>> Bayard
>> 
>> _______________________________________________
>> oi-infra mailing list
>> oi-infra at openindiana.org
>> http://openindiana.org/mailman/listinfo/oi-infra
> 
> 
> _______________________________________________
> oi-infra mailing list
> oi-infra at openindiana.org
> http://openindiana.org/mailman/listinfo/oi-infra

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20110428/b8ef464b/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1515 bytes
Desc: not available
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20110428/b8ef464b/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 841 bytes
Desc: This is a digitally signed message part
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20110428/b8ef464b/attachment-0009.bin>


More information about the oi-dev mailing list