3 comments

  • RickJWagner 18 minutes ago
    Supply chain security is not easy, but it’s an important defense. Red Hat has done some good work in this area.
  • Chris2048 1 hour ago
    Looking at the Debian example: https://in-toto.io/docs/examples/debian/

    Does Debian already provide signature on .deb files (that is, provide a manifest of their hashes and and sign each)? If so, you could potentially d/l the files from any source/mirror?

    • marksomnian 38 minutes ago
      To answer your question:

      > Does Debian already provide signature on .deb files (that is, provide a manifest of their hashes and and sign each)?

      Yes it does. If you look at https://ftp.debian.org/debian/dists/trixie/InRelease it's a PGP-signed file containing a list of files and their hashes. Each of those files (eg https://ftp.debian.org/debian/dists/trixie/main/binary-amd64...) then contains a list of .deb files along with their shasums. In other words, a Debian repo is a set of deb files, metadata files with their hashes, index files with hashes of the metadata files, and PGP signatures for the indexes, so the whole chain can be verified.

      This means that anyone can set up a deb mirror by (essentially, there's some extra steps) copying that entire structure and the integrity is guaranteed because only the upstream admins can sign the metadata.

    • marksomnian 42 minutes ago
      That's exactly where I keep getting caught. I've looked at in-toto a number of times, and each time I've been left wondering "how is this better than a signed list of hashes?".

      Which I suppose is what in-toto is at its core, but it's taken me a long time and lots of reading to get to that point, and I'm not seeing the advantages of it (except it being a standard, OK, fair enough).

      I must be missing something.

      • uecker 14 minutes ago
        I assume it is meant to not only have hashes of the final output, but also securely record all steps done by the right people and the right inputs during build the software. But this solves the wrong (^1 problems while still leaving the door open for malware. Reproducible builds are the right step forward if you actually care about security of free software ecosystem.

        1. I guess this depend on your position. In the context of remote attestation, I think this is also even dangerous / evil.

  • nttylock 1 hour ago
    [flagged]