Ubuntu
live-build package

  1. Bug #1363519
  2. Comment #12

Comment 12 for bug 1363519

Revision history for this message
Thomas Mayer (thomas303) wrote :

I am very concerned about this issue. I installed from media 119cb63b48c9a18f31f417f09655efbd ubuntu-14.04.1-desktop-amd64.iso. I double-checked the hash comes from a SSL-trusted page and checked the md5 sum of the file which was correct.

However, I also get
 md5sum /boot/vmlinuz-3.13.0-32-generic
144bf4beed11fb77e5ad629452741310 /boot/vmlinuz-3.13.0-32-generic
md5sum /sbin/start-stop-daemon
b1b8894ae2e3b547dca0e288634cce4a /sbin/start-stop-daemon

Could you please re-check that this is trusted software?

Next, I'm thinking about the question, how the community can technically make sure that we never install untrusted software via apt-get. What if a man-in-the-middle-Attack happens? This can easyly happen, if your router is fishy!

Besides that, I think about third-party-repositories, and there's two scenarios I could imagine.
- What if I get untrusted keys via a man-in-the-middle-attack
- What about software which is downloaded by (third-party-)repo-software? First, this is out of focus for debsums. Second, I'm never sure if the downloaded software is rechecked against trustworth (SSL-transmitted) hashes. Many of us have to use oracle-java for some reason, which is provided by webupd8 repos, for example. Not that I say, I don't trust them. But if EVER they provide/download untrusted software(e.g. occasionally via man-in-the-middle), a lot of servers and desktops would be affected via regular update. For example, oracle-java download (done by the apt-package of webupd8) needs to be checked against a trusted hash. I hope, that is already the case, I did not recheck this.
- Think about wine software which is downloaded before you can use it
- Think about extensions in Mozilla's Firefox/Thunderbird or in OpenOffice/LibreOffice

In general:
- There's a bunch of software you need to download from sources which are not covered by apt-get (but possibly updated via apt-get). You don't get around that for some reason (e.g. oracle-java).
- If a man-in-the-middle-attack happens, the attacker could install any piece of software he wants via a regular update via third-party-repos and other software like wine.

The longer I think about it, the more I am concerned about ubuntu's security concerning software rollout. Still, I think that ubuntu's universe repo is the best way to provide lots of software which can be trusted (if the maintainer can be trusted). I would like to have the same affirmation for all software I ever need to install.