Hide Forgot
Description of problem: "... what guarantee is there that no MITM attacker compromised the tarballs when they were downloaded from upstream by a distro package maintainer? ..." from https://blogs.gnome.org/mcatanzaro/2016/03/13/do-you-trust-this-package/ I spot checked a few spec files: bind, dracut, git, python, and systemd. It appeared that they all used plain ftp and http urls in their source field instead of something like https. Shouldn't the sources refer to more secure urls? Does Red Hat verify checksums? Or are their other procedures Red Hat has put in place to address basic man-in-the-middle attack concerns? I realize that paranoia can be a rabbit hole, but it seems like gradually migrating to https would be a relatively easy improvement. Maybe you're already in the process? Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: Looking at the bind package, for example ... 1. Go to https://git.centos.org/log/rpms!bind/refs!heads!c7 2. Click on top reference 3. Click on spec file 4. Search for Source Actual results: Source: ftp://ftp.isc.org/isc/bind9/%{VERSION}/bind-%{VERSION}.tar.gz Expected results: Source: https://ftp.isc.org/isc/bind9/%{VERSION}/bind-%{VERSION}.tar.gz Additional info:
(In reply to Andrew Shewmaker from comment #0) > Description of problem: > > "... what guarantee is there that no MITM attacker compromised the tarballs > when they were downloaded from upstream by a distro package maintainer? ..." > > from https://blogs.gnome.org/mcatanzaro/2016/03/13/do-you-trust-this-package/ > > I spot checked a few spec files: bind, dracut, git, python, and systemd. It > appeared that they all used plain ftp and http urls in their source field > instead of something like https. > > Shouldn't the sources refer to more secure urls? Does Red Hat verify > checksums? Or are their other procedures Red Hat has put in place to > address basic man-in-the-middle attack concerns? The URL in SPEC is not used during the build process. It is there just as a reference of where the sources can be found. We download the sources only once and upload them to internal storage. Then for any build the tarball from the internal storage is used. Also when downloading latest version of sources, I use HTTPS and I always verify the GPG signature of the tarball. > I realize that paranoia can be a rabbit hole, but it seems like gradually > migrating to https would be a relatively easy improvement. Maybe you're > already in the process? Sure, we could change the URL to use HTTPS instead of FTP. Nevertheless in reality this will have no impact on the trustworthiness of the sources or of the build process.
(In reply to Tomas Hozza from comment #2) > The URL in SPEC is not used during the build process. It is there just as a > reference of where the sources can be found. We download the sources only > once and upload them to internal storage. Then for any build the tarball > from the internal storage is used. > > Also when downloading latest version of sources, I use HTTPS and I always > verify the GPG signature of the tarball. > > > I realize that paranoia can be a rabbit hole, but it seems like gradually > > migrating to https would be a relatively easy improvement. Maybe you're > > already in the process? > > Sure, we could change the URL to use HTTPS instead of FTP. Nevertheless in > reality this will have no impact on the trustworthiness of the sources or of > the build process. Thanks for explaining how Red Hat's process works, and I'm glad my bug report was unnecessary.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2233.html