Re: [GNU-linux-libre] Help users to verify their downloads

[Jean Louis]

On Mon, Jun 25, 2018 at 07:15:21AM -0400, bill-auger wrote:
> On Mon, 2018-06-25 at 11:33 +0200, Jean Louis wrote:
> > If users don't know how to verify PGP fingerprints
> > with the issues of the PGP key, and it is anyway
> > unlikely that any serious percentage would be
> > doing so, then we are wasting time by creating
> > apparent security.
> 
> it is why package managers such as apt and
> pacman run the verifications implicitly so that
> the user does not need to know how it is done

It ends up in believing and not assurance.

If user did not verify fingerprints, by some other
communication line, in reality nothing have been
really secured, we have got belief only, and not
assurance.

Servers can be compromised and they do get
ocassionally compromised.

Example is where full distribution have been compromised:
https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/

pacman or other package manager verifies that the
package have been signed by the referenced PGP
key.

For user, especially if user does not know
nothing, it really means nothing. Because there is
no true security there.

If you don't know which door in your house is
closed or open that does not mean your doors are
closed and you are safe, just because you don't
know it.

Server can be compromised and package databases
can be compromised.

PGP keys can be published without any connection
between the actual key controller and the email
address or PGP identity.

There are few fake PGP identities of RMS in PGP
servers for example.

It gives some feeling or assurance, it does not
give security.

It all ends up with the trust based on belief into
the domain and servers, and that the domain and
its servers where packages aor package databases
located are trusted.

But there is no assurance whatsoever to know if
the that domain was cracked, as we all do not have
any access to domain.

So believe into maintainers who maintain their
domains and servers that nothing was compromised.

Which means there is no security at all.

We base the downloads of free software on trust,
not on security.

All these facts shall be made known by each
distribution:

- that hashes help only to verify that expected
  file arrived from server to local computer, and
  says nothing about the genuity of the package or
  that it is not compromised, and that it is valid
  only when the original file would be signed by
  PGP key and such PGP key fingerprints verified
  between the user and the real key owner

- that PGP signatures cannot be assurance of any
  security unless fingerprints have been verified
  by independent communication line with the key
  owner

For more info:
https://gnupg.org/faq/gnupg-faq.html#how_do_i_verify_signed_packages

Quoting:

 > Get a copy of the author’s public certificate and
 > import it to your keyring. It’s important to get
 > the author’s certificate through a trusted
 > source. On the internet, anyone can be pretend to
 > be anyone. Particularly, be careful if the
 > certificate you have doesn’t match the one used
 > for prior code releases.

Now when knowing this, what users do often is
following (not all users):

- in the first place does not know and does not
  have easy access to the information WHO is the
  maintainer of the package or controller of the
  PGP key, information exists, but is not easy
  accessible

- does not get copy of author's public
  certificate, but rather relies on domain and
  server or distribution itself, probably does not
  even know the URL from where packages are
  downloaded, and certainly does not import the
  certificate into his own keyring, but let it to
  pacman or package manager to handle it,

- does not use the trusted source, but simply
  trusts everything, user is naive, and we shall
  make it clear to them that no absolute security
  exists that package was not compromised

- does not understand that something like
  address@hidden can be faked by just
  anybody and that everybody can make PGP key for
  any email address in the world

- does not verify if the certificate is recent or
  changed in comparison to prior code releases

- and does not know how to use GnuPG

And when package databases and such software is
held on mirrors, then even the worse opportunity
to get compromised software.

Conclusion is that all the efforts that package
maintainers are doing can be futile by one single
server compromise and changes to the package
databases.

Jean