Bug 1319280
| Summary: | spec file source url in bind uses ftp instead of https | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andrew Shewmaker <shewa> |
| Component: | bind | Assignee: | Tomáš Hozza <thozza> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.3 | CC: | jscotka, psklenar |
| Target Milestone: | rc | Keywords: | EasyFix |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-9.9.4-34.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 01:26:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Shewmaker
2016-03-18 17:00:39 UTC
(In reply to Andrew Shewmaker from comment #0) > Description of problem: > > "... what guarantee is there that no MITM attacker compromised the tarballs > when they were downloaded from upstream by a distro package maintainer? ..." > > from https://blogs.gnome.org/mcatanzaro/2016/03/13/do-you-trust-this-package/ > > I spot checked a few spec files: bind, dracut, git, python, and systemd. It > appeared that they all used plain ftp and http urls in their source field > instead of something like https. > > Shouldn't the sources refer to more secure urls? Does Red Hat verify > checksums? Or are their other procedures Red Hat has put in place to > address basic man-in-the-middle attack concerns? The URL in SPEC is not used during the build process. It is there just as a reference of where the sources can be found. We download the sources only once and upload them to internal storage. Then for any build the tarball from the internal storage is used. Also when downloading latest version of sources, I use HTTPS and I always verify the GPG signature of the tarball. > I realize that paranoia can be a rabbit hole, but it seems like gradually > migrating to https would be a relatively easy improvement. Maybe you're > already in the process? Sure, we could change the URL to use HTTPS instead of FTP. Nevertheless in reality this will have no impact on the trustworthiness of the sources or of the build process. (In reply to Tomas Hozza from comment #2) > The URL in SPEC is not used during the build process. It is there just as a > reference of where the sources can be found. We download the sources only > once and upload them to internal storage. Then for any build the tarball > from the internal storage is used. > > Also when downloading latest version of sources, I use HTTPS and I always > verify the GPG signature of the tarball. > > > I realize that paranoia can be a rabbit hole, but it seems like gradually > > migrating to https would be a relatively easy improvement. Maybe you're > > already in the process? > > Sure, we could change the URL to use HTTPS instead of FTP. Nevertheless in > reality this will have no impact on the trustworthiness of the sources or of > the build process. Thanks for explaining how Red Hat's process works, and I'm glad my bug report was unnecessary. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2233.html |