LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-11-2013, 04:06 PM   #16
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,257

Rep: Reputation: Disabled

Well, Pat signed my GPG key with the Slackware GPG key now (check http://pgp.mit.edu:11371/pks/lookup?...56AAAFA75CBDA0). That means, you can verify that I created the packages and there is a level of trust that goes back to the Slackware creator.

As for your boss's demand that packages should come from the official download site... how do you define "official"? Let us for instance check "ftp.slackware.com":
Code:
$ host ftp.slackware.com
ftp.slackware.com has address 140.211.166.134
$ host 140.211.166.134
134.166.211.140.in-addr.arpa domain name pointer ftp-osl.osuosl.org.
I hope you see my implication?
If not, this is what it proves: the official FTP host for Slackware is not at all a Slackware server. Instead, it is the main mirror site (ftp.osuosl.org) for not only Slackware, but several other distributions.
In fact, for many years when ftp.slackware.com was still hosted by Slackware, Inc. it was considered rude to download packages directly from the Slackware ftp server, because it was unable to offer the required bandwidth and the server would often buckle under the load. Tell you boss that.

In this world, it does not matter where you get your packages from. Any serrver, even well-known ones that are carefully managed, may get compromised and end up serving bad code. In case of kernel.org the admins could offer plausible proof that the kernel sources had not been tampered with because this is near-impossible to do with a git repository.
For the same reasons, you should not place false trust on the web site where you downloaded your packages. It is the GPG signatures of those packages that will prove to you the packages are the unmodified versions, packaged and signed by their creator. Tell your boss that.

As for the Slackware web site, it is too bad when he thinks the colours and rounded corners used in a web site design reflect the quality of a distro. If it comes down to that argument, then you will lose and your boss will win. I hope he will be convinced by quality. Also show him the Slackware Documentation Project at docs.slackware.com, which is a modern-style Wiki, he may be more impressed with that.

Finally, let us see what happens in a GPG verification:
Code:
$ gpg --verify /mnt/auto/sox/www/sox/slackware/slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: Can't check signature: public key not found
$ gpg --recv-keys A75CBDA0
gpg: requesting key A75CBDA0 from hkp server keys.gnupg.net
gpg: key A75CBDA0: public key "Eric Hameleers <alien@slackware.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: Good signature from "Eric Hameleers <alien@slackware.com>"
gpg:                 aka "Eric Hameleers <alien@sox.homeip.net>"
gpg:                 aka "Eric Hameleers (SBo) <alien@slackbuilds.org>"
gpg:                 aka "Eric Hameleers <eric.hameleers@alienbase.nl>"
gpg:                 aka "Eric Hameleers (IBM Linux) <alien@nl.ibm.com>"
gpg:                 aka "Eric Hameleers (Thuis) <e.hameleers@chello.nl>"
gpg:                 aka "Eric Hameleers <eric.hameleers@int.greenpeace.org>"
gpg:                 aka "Eric Hameleers (IBM Linux) <alien@linux.vnet.ibm.com>"
gpg:                 aka "[jpeg image of size 3054]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F2CE 1B92 EE1F 2C0C E97E  581E 5E56 AAAF A75C BDA0
This shows how I imported my own key on a random computer, used GPG to check that the libreoffice package was signed by that same key which I have just downloaded. GPG then continues that it verified that this was the key which signed the package but it can not be certain that the real life person "Eric Hameleers" is the owner of that GPG key. That is where the level of trust comes to play. A GPG key can be "signed" by other people which means thes other people vouch for "Eric Hameleers" really being the person who owns that GPG key.
The more people who sign a key, the bigger the web of trust becomes. If the owner of a well-known GPG key like Slackware's GPG key has signed my own key, that will enhance the credibility of "Eric Hameleers" as the owner of GPG key "A75CBDA0".

Suppose I import the SLackware GPG key as well and explicitly tell GPG to place trust in that key:
Code:
$ gpg --recv-keys 40102233
gpg: requesting key 40102233 from hkp server keys.gnupg.net
gpg: key 40102233: public key "Slackware Linux Project <security@slackware.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --edit-key 40102233
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  1024D/40102233  created: 2003-02-26  expires: 2038-01-19  usage: SCA 
                     trust: unknown       validity: unknown
sub  1024g/4E523569  created: 2003-02-26  expires: 2038-01-19  usage: E   
[ unknown] (1). Slackware Linux Project <security@slackware.com>

gpg> trust
pub  1024D/40102233  created: 2003-02-26  expires: 2038-01-19  usage: SCA 
                     trust: unknown       validity: unknown
sub  1024g/4E523569  created: 2003-02-26  expires: 2038-01-19  usage: E   
[ unknown] (1). Slackware Linux Project <security@slackware.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  1024D/40102233  created: 2003-02-26  expires: 2038-01-19  usage: SCA 
                     trust: ultimate      validity: unknown
sub  1024g/4E523569  created: 2003-02-26  expires: 2038-01-19  usage: E   
[ unknown] (1). Slackware Linux Project <security@slackware.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit
OK, I told GPG that I place ultimate trust in Slackware's GPG key. Now watch what GPG thinks of my package when I verify its signature:
Code:
$ gpg --verify slackware/slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc 
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2038-01-19
gpg: Good signature from "Eric Hameleers <alien@slackware.com>"
gpg:                 aka "Eric Hameleers <alien@sox.homeip.net>"
gpg:                 aka "Eric Hameleers (SBo) <alien@slackbuilds.org>"
gpg:                 aka "Eric Hameleers <eric.hameleers@alienbase.nl>"
gpg:                 aka "Eric Hameleers (IBM Linux) <alien@nl.ibm.com>"
gpg:                 aka "Eric Hameleers (Thuis) <e.hameleers@chello.nl>"
gpg:                 aka "Eric Hameleers <eric.hameleers@int.greenpeace.org>"
gpg:                 aka "Eric Hameleers (IBM Linux) <alien@linux.vnet.ibm.com>"
gpg:                 aka "[jpeg image of size 3054]"
You see that the "WARNING: This key is not certified with a trusted signature!" warning has disappeared from the output.

I wish you luck.

Eric
 
2 members found this post helpful.
Old 03-11-2013, 04:43 PM   #17
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 183
Blog Entries: 1

Original Poster
Rep: Reputation: 38
Eric, we are very well aware using GPG to check software integrity and story of Kernel.org, however rules regarding mirror sites are very rigid, as long as slackware.com up running, we have no alternative(assume we keep using slackware). thanks for your understanding.

P.S.(put slackware.com on cloud networks, like google, amazon etc. we may consider a possible alternative, but still looking at slackware.com seals of a proof, there is no way around this.)

Last edited by number22; 03-11-2013 at 04:58 PM.
 
Old 03-11-2013, 06:46 PM   #18
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,318
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
Quote:
Originally Posted by number22 View Post
P.S.(put slackware.com on cloud networks, like google, amazon etc. we may consider a possible alternative, but still looking at slackware.com seals of a proof, there is no way around this.)
Why would they change it, or move it to the "cloud", It's NOT broken and probably lived happily where it's at for years.

Quote:
Originally Posted by number22 View Post
don't match up with AlienBob's website...Hard to explain.
No offense, but if you can't explain a mirror to those who have to know, how can you tell slackware.com isn't on the 'cloud' because something doesn't "match up"? and moving slackware to a "cloud" would make it easier to explain?

Good Luck.

Last edited by Habitual; 03-11-2013 at 06:47 PM.
 
Old 03-11-2013, 10:26 PM   #19
MadMaverick9
Member
 
Registered: Aug 2010
Location: Here
Distribution: Slackware 14.0
Posts: 137

Rep: Reputation: Disabled
@number22
Quote:
we are very well aware using GPG to check software integrity
Quote:
but still looking at slackware.com seals of a proof
These are two conflicting messages and to me it shows that you do not understand GPG and the concept of "web of trust".

Quote:
but still looking at slackware.com seals of a proof
Yesterday Pat did just that by signing Eric's GPG key.

To put it bluntly - what we're trying to tell you is that it does not matter where files comes from, as long as their signatures are good.

They could be on Mars hosted by Aliens ... and it wouldn't frickin' matter as long as their signature says that they were put there by AlienBOB ... uh ... Eric.
 
Old 03-11-2013, 11:17 PM   #20
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 183
Blog Entries: 1

Original Poster
Rep: Reputation: 38
@MadMaverick9
As far as we consider, mirror sites are unsecured, we don't care how stupid it may look to other people. We only use slackware related software and GPG signs from slackware.com; getting a copy from original source is the top priority. When links doesn't show same addresses or auto re-direct raise some concerns, my job is check and reconfirm the reason is legit. Done, I don't have to explain how we do thing any more.
 
Old 03-11-2013, 11:25 PM   #21
astrogeek
Senior Member
 
Registered: Oct 2008
Distribution: Slackware: 12.1, 13.1, 14.1, 64-14.1, -current, FreeBSD-10
Posts: 1,855

Rep: Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626
Quote:
Originally Posted by number22 View Post
As far as we consider, mirror sites are unsecured, we don't care how stupid it may look to other people.... my job is check and reconfirm the reason is legit. Done, I don't have to explain how we do thing any more.
Good that you don't care...

But your unwillingness to learn how that job should actually be done ends up wasting a lot of valuable time of people who are really trying to help you.

No one is trying to offend you here, they are trying to get you to understand how it works.
 
Old 03-12-2013, 01:31 AM   #22
MadMaverick9
Member
 
Registered: Aug 2010
Location: Here
Distribution: Slackware 14.0
Posts: 137

Rep: Reputation: Disabled
Well - this thread is not a complete waste of time. Because when Pat signed Eric's key yesterday, something neat happened.

"Slackware Linux Project <security@slackware.com>" (0x40102233) now trusts "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>" (0x9C7BA3B6) indirectly. The Alien Connection.

All that remains to be done now is to verify that "volkerdi@lq" is really Pat. And verify that Pat is Pat.

Thank you very much, Pat!
 
Old 03-12-2013, 03:44 AM   #23
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 867

Rep: Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747
Quote:
Originally Posted by MadMaverick9 View Post
Well - this thread is not a complete waste of time. Because when Pat signed Eric's key yesterday, something neat happened.

"Slackware Linux Project <security@slackware.com>" (0x40102233) now trusts "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>" (0x9C7BA3B6) indirectly. The Alien Connection.
Good call. That one is directly signed now as well.

Quote:
All that remains to be done now is to verify that "volkerdi@lq" is really Pat.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It really is me, folks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE+6ugACgkQakRjwEAQIjOadwCfb9FhXKraIiYWnOc5qmMqSs+T
HzMAniFLW4CbZQmdXPtgXhjgxlic3M8x
=+U/h
-----END PGP SIGNATURE-----

Quote:
And verify that Pat is Pat.
Tough crowd.
 
Old 03-12-2013, 06:55 AM   #24
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,318
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
Quote:
Originally Posted by volkerdi View Post
Tough crowd.
Key-signing Party at Pat's House!
 
Old 03-12-2013, 07:59 AM   #25
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,432

Rep: Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849Reputation: 849
Quote:
Tough crowd.
Seems like the tail wags the dog these days. http://www.youtube.com/watch?v=sZrgxHvNNUc
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Differences between packages of AlienBoB Repository and Slackbuilds JohnV2 Slackware 7 04-19-2012 09:53 PM
Opensuse 11.2 ATI Repository - Download fglrx Corrupt? Any mirrors? romeo_tango Suse/Novell 3 03-04-2010 09:31 PM
OpenVPN point-to-point address question deadeyes Linux - Server 1 12-11-2007 11:09 AM
DISCUSSION: Alien Packages and Linux Mirrors jeremy LinuxAnswers Discussion 0 02-06-2005 05:02 PM
point to point address assignment of ppp0 andyn Linux - Networking 0 10-11-2002 10:45 PM


All times are GMT -5. The time now is 04:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration