/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-builder-debian - replace local key creation with trusted=yes #1020

Closed
adrelanos opened this Issue Jun 3, 2015 · 7 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.0
3 participants
@adrelanos @nrgaway @marmarek
@adrelanos
Member

adrelanos commented Jun 3, 2015

About

Key-Type: RSA
Key-Length: 1024

This is a weak key. Even if it's just a local key and perfectly secure... It's a source for FUD. Fear, uncertainty, doubt. And from a marketing perspective, FUD can kill a project. I don't want to distract discussion of real security issues with such easy-to-confuse-easy-to-fix false-positives.

Can you please use deb [trusted=yes] rather than local signing key for local apt repository? I.e.

deb file:/tmp/qubes-deb $DEBIANVERSION main

-->

deb [trusted=yes] file:/tmp/qubes-deb $DEBIANVERSION main

and removing the local key creation should do. Also less code and more elegant.

(Similar to https://phabricator.whonix.org/T275#3897.) (@nrgaway)
@nrgaway

This comment has been minimized.

Show comment
Hide comment
@nrgaway

nrgaway Jun 3, 2015

On 3 June 2015 at 10:11, Patrick Schleizer notifications@github.com wrote:

About

https://github.com/QubesOS/qubes-builder-debian/blob/cf29fccd63c1e8e00819db09d8eb1c280a61ade3/prepare-chroot-debian#L135-143

https://github.com/QubesOS/qubes-builder-debian/blob/master/prepare-chroot-qubuntu#L118-126

Key-Type: RSA
Key-Length: 1024

This is a weak key. Even if it's just a local key and perfectly secure...
It's a source for FUD. Fear, uncertainty, doubt. And from a marketing
perspective, FUD can kill a project. I don't want to distract discussion of
real security issues with such easy-to-confuse-easy-to-fix false-positives.

Can you please use deb [trusted=yes] rather than local signing key for
local apt repository? I.e.

deb file:/tmp/qubes-deb $DEBIANVERSION main

-->

deb [trusted=yes] file:/tmp/qubes-deb $DEBIANVERSION main

and removing the local key creation should do. Also less code and more
elegant.

(Similar to https://phabricator.whonix.org/T275#3897.) (@nrgaway
https://github.com/nrgaway)

I personally do not see how this can create FUD since as you noted the keys
are created for local installation of packages during initial template
creation and not for distribution purposes. Wouldn't having no key at all
provide the same concerns?

Anyway, if @marmarek feels this should be changed could we not just
increase the key size to minimize code changes?

nrgaway commented Jun 3, 2015

On 3 June 2015 at 10:11, Patrick Schleizer notifications@github.com wrote:

About

https://github.com/QubesOS/qubes-builder-debian/blob/cf29fccd63c1e8e00819db09d8eb1c280a61ade3/prepare-chroot-debian#L135-143

https://github.com/QubesOS/qubes-builder-debian/blob/master/prepare-chroot-qubuntu#L118-126

Key-Type: RSA
Key-Length: 1024

This is a weak key. Even if it's just a local key and perfectly secure...
It's a source for FUD. Fear, uncertainty, doubt. And from a marketing
perspective, FUD can kill a project. I don't want to distract discussion of
real security issues with such easy-to-confuse-easy-to-fix false-positives.

Can you please use deb [trusted=yes] rather than local signing key for
local apt repository? I.e.

deb file:/tmp/qubes-deb $DEBIANVERSION main

-->

deb [trusted=yes] file:/tmp/qubes-deb $DEBIANVERSION main

and removing the local key creation should do. Also less code and more
elegant.

(Similar to https://phabricator.whonix.org/T275#3897.) (@nrgaway
https://github.com/nrgaway)

I personally do not see how this can create FUD since as you noted the keys
are created for local installation of packages during initial template
creation and not for distribution purposes. Wouldn't having no key at all
provide the same concerns?

Anyway, if @marmarek feels this should be changed could we not just
increase the key size to minimize code changes?
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jun 3, 2015

Member

FUD is created by mechanical, knee-jerk like analysis and outrage along very simple thought lines "weak key -> insecure", conclude "Qubes using weak key -> insecure", action "outrage". Thoughts like "just locally used" are more sophisticated.

Increasing the key size increases build time, because creating a bigger key takes longer.

Using a key for a locally stored repository isn't required, since there is trusted=yes.

Using no key at all wouldn't raise any concerns. The trusted=yes points to a local resource, not much room to mess up.

Seems like this is something like "minimize code changes" vs "minimize code size and complexity".
Member

adrelanos commented Jun 3, 2015

FUD is created by mechanical, knee-jerk like analysis and outrage along very simple thought lines "weak key -> insecure", conclude "Qubes using weak key -> insecure", action "outrage". Thoughts like "just locally used" are more sophisticated.

Increasing the key size increases build time, because creating a bigger key takes longer.

Using a key for a locally stored repository isn't required, since there is trusted=yes.

Using no key at all wouldn't raise any concerns. The trusted=yes points to a local resource, not much room to mess up.

Seems like this is something like "minimize code changes" vs "minimize code size and complexity".
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 3, 2015

Member

On Wed, Jun 03, 2015 at 07:40:11AM -0700, nrgaway wrote:

Anyway, if @marmarek feels this should be changed could we not just
increase the key size to minimize code changes?

Yes, I think "[trusted=yes]" is much better solution. Actually I was
looking for something like that but haven't found - this is why created
some local key.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Member

marmarek commented Jun 3, 2015

On Wed, Jun 03, 2015 at 07:40:11AM -0700, nrgaway wrote:

Anyway, if @marmarek feels this should be changed could we not just
increase the key size to minimize code changes?

Yes, I think "[trusted=yes]" is much better solution. Actually I was
looking for something like that but haven't found - this is why created
some local key.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
@nrgaway

This comment has been minimized.

Show comment
Hide comment
@nrgaway

nrgaway Jun 3, 2015

nrgaway commented Jun 3, 2015

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jun 3, 2015

Member
Member

adrelanos commented Jun 3, 2015

@marmarek marmarek added enhancement C: builder P: major labels Jun 9, 2015

@marmarek marmarek added this to the Release 3.0 milestone Jun 9, 2015

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jun 24, 2015

Member

Looks like this was implemented?

Closeable?
Member

adrelanos commented Jun 24, 2015

Looks like this was implemented?

Closeable?
@nrgaway

This comment has been minimized.

Show comment
Hide comment
@nrgaway

nrgaway Jun 24, 2015

On 23 June 2015 at 21:07, Patrick Schleizer notifications@github.com
wrote:

Looks like this was implemented?

Closeable?

Yes

nrgaway commented Jun 24, 2015

On 23 June 2015 at 21:07, Patrick Schleizer notifications@github.com
wrote:

Looks like this was implemented?

Closeable?

Yes

@marmarek marmarek closed this Jun 24, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment