[RndTbl] Ubuntu mirror security

Kevin McGregor kevin.a.mcgregor at gmail.com
Mon May 9 15:11:42 CDT 2011 

I set up a (virtual) machine here at work as a local mirror of
ca.archive.ubuntu.com, and was trying to change the VLAN it was on. Security
got involved and sent me this:

How much testing and vetting of these patches is being performed?  I have
reservations about placing a server that is downloading open source code
over a non-secured connection and allowing it to redistribute said code to
basically anything in the Infranet.

What assurances can be provided as to the validity and integrity of the
downloaded patches?


I responded that the process is valid and secure, just like Microsoft WSUS
servers. I couldn't find any HTTPS mirrors, so I expect that
man-in-the-middle attacks aren't worth guarding against. Security responded
with:


Is the downloading and validation process done manually, or is the on-site
mirror server performing this automatically without user intervention?

And the cryptographic signatures you describe, are you referring to MD5 or
sha-1 hashes?


The packages themselves have MD5, SHA1 and SHA256 hashes, and the
repositories are signed with PGP keys. And the latest (is he coming
around?):

Thank you for the informative links Kevin.

>From the apt-secure man

       If a package comes from a archive without a signature or with a
       signature that apt does not have a key for that package is considered
       untrusted and installing it will result in a big warning.  apt-get
will
       currently only warn for unsigned archives, future releases might
force
       all sources to be verified before downloading packages from them.

How is our implementation setup?  Only providing a warning that a package
signature could not be verified is worrisome.  The entire process also
revolves around the complete trust of not only the archives but the entire
GnuPG system including the debain-keyrings (which of course closely equate
to numerous certificate authorities in the SSL world).

As for more of a focus on proper network placement, can you offer up any
expected bandwidth numbers not only from the mirror to the Internet, but
between all of the servers and the mirror?  I'm not looking for exact
science here but a rough estimate will allow me to balance performance
concerns with those I have as to the security posture of the entire setup.


That's the story so far. I just wanted to share this with all y'all.

Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20110509/62ea532f/attachment.html

More information about the Roundtable mailing list