The Forbidden Subject
I am reprinting my recent post on the Arch Linux forums below so this is accessible and searchable – one value of having your own blog. One of the forum moderators (jasonwryan?) imposed an 8 week ban on me for “Trolling despite repeated warnings” for the post below, so I am not welcome there until May. (I don’t recall any Warnings, but apparently my memory is faulty?) Granted I wasn’t saying what they like to hear, but given the number of users’ threads and questions on this subject that they’re deleting, I think it needed to be addressed. At any rate, I cannot update or respond to the paccheck or other threads there, but you may bring any issues to my attention here or via email. They have also banned my IP from even viewing the forum – I guess that is a danger – so even though that’s easy to work around, don’t assume I’m reading there, as I probably won’t be automatically notified of new posts in threads.
My ’8 week ban’ post follows:
Allan wrote somewhere (you must be logged in):
I will repeat my offer. If anyone provides patches for the remaining issues with pacman as given on this page: https://wiki.archlinux.org/index.php/Us … ge_Signing , then I will get all the patches in a format suitable for actual merging to the pacman code base. I made this offer several weeks ago on pacman-dev and quite a few people said they had patches that were “almost ready”. As usual, none ever eventuated…
Now as to whether this is really important… well, it is… but:
1) the described ARP attacks require the hacker be on your network. That is not a particularly practical attack for most Arch usages (home computer…).
2) exploited mirrors are likely to be detected quickly. Even faster now paccheck has been provided. But they would have been detected by people who segment their downloads across mirrors anyway (or even downloaded packages from a different mirror than their database) and there are a lot of people who did that.
3) if it was that important, people would have the motivation to actually code on it…
The quickest way (in fact, probably the only way) to get this fixed is to provide the patches for pacman. Having the feature implemented there will likely increase the motivation to get signing used in the repos.
I would like to reply to Allan’s third point and his alleged invitation.
I attempted to contribute a very effective interim solution. I submitted two flysprays that could hugely improve Arch’s security in this area with virtually no work needing to be done. It turns out that one of these ideas – to have the server automatically sign the database – was submitted by one of their own developers 3 years ago (a virtual eternity in the world of computers). It was shot down at that time because pacman package signing was ‘almost complete’. He is still an Arch developer and offered to implement it immediately when he saw my request, but there is no one willing to authorize the simple change required. With the use of a simple signature checking script which I offered to write, this change would make 150+ mirrors as secure as the primary Arch server. The other idea – to include SHA256 sums in the database – would make paccheck’s job more thorough without the need for full mirror compare. I even provided a simple patch for their script. Yet they simply refuse to include it for no known reason. You can see and vote on these here and here. They are very effective interim solutions which will improve your security substantially while the pacman devs wrestle with their full-blown package signing (for how many more years no one knows).
As for coding pacman, my discussion with the devs revealed that at least some are disgruntled with Allan’s handling of the code they submit, in that it never sees the light of day. It is discouraging to put work into something only to have that work disregarded. I myself would consider working on this, but I have to believe that Allan (or whomever) would simply find an excuse to dismiss whatever I submit, just like Allan seems to do with every idea and patch submitted in this area, despite his claims and invitations to the contrary. Arch is unapproachable in this area – why?
So Allan’s endlessly repeated claim that there is just insufficient manpower to immediately close this security hole is simply false – signing the database would close much of the problem, and I have offered to adjust paccheck to make use of such a signature. Adding this signature is trivial and there is a developer willing to make that change. It is simply being blocked by a bureaucracy – Arch is not maturing well. It is run more like a closely guarded personal pet project than a community-supported project. His claim that no one is willing to contribute is false.
From what I can tell, Allan is the main stopping point for why this has gone nowhere for YEARS. He claims he doesn’t care about it, but aggressively campaigns against any improvement to Arch’s security in this area, no matter how trivial. I can’t even have a conversation about it with the other devs without him butting in and aggressively derailing it. I can’t explain the reason for this behavior, and believe what you will, but Allan’s claims are largely false. I can easily see why the developers are discouraged and have stopped attempting to contribute to Arch (which is actually a larger issue affecting Arch in general – I can’t imagine why.)
As for being lucky in spotting a compromised mirror among over 150 mirrors before someone is affected, good luck with that.
In case you think this is all theory, here is a real life example of a compromised Linux mirror, which wasn’t discovered for almost one year.
As for the behavior on this forum of hiding this information from users, I think it is very poor practice. If you deem it necessary to close some of these threads, so be it. But why are you moving them off the main boards into the dustbin? Obviously it’s embarrassing to the Arch devs, but users have a right to be made aware of this issue so they can evaluate how it affects them. And you might consider that the reason the issue keeps coming up is that people want to discuss it. At any rate, anyone is welcome to discuss it on my blog – I don’t delete non-spam comments, even when people call me names and later apologize. The discussion there evolved quite well and eventually quieted down, when everyone had had their say. A novel concept to you perhaps, but intelligent discourse has its advantages. As the Arch devs are abandoning the users in this area, it would be helpful for users to discuss the ramifications and makeshift solutions. Compare this forum’s behavior with the ArchBang forum, where a similar thread was made a sticky.
Perhaps it would be best to make the trollbin/dustbin open for posting if you can’t tolerate discussion about Arch in the Arch Discussion forum.
Also, I would encourage Arch users to find another forum for discussing this openly – don’t limit yourself to this forum. LinuxQuestions, Archbang forum, etc. – there are many out there, some already with discussions about it (search for “Arch’s Dirty Little Not-So Secret”, as that article was picked up by Linux Today and resulted in a lot of discussion about Arch elsewhere). Arch Forums is indeed free to run their forums however they please, even to the point where it inhibits Arch’s development and growth, and since they don’t seem to respond functionally to any feedback on their practices, it may be best to abandon it for more helpful and honest forums. Regardless of your take on this issue, it is hard to argue that users shouldn’t evaluate it for themselves.
A few links:
Anandtech Forum: Critical Security Flaw in Arch
Reddit: Arch’s Dirty Little Not-So-Secret
Kubuntu Forums: Arch’s Dirty Little Not-So-Secret (started by me but others’ opinions there as well)
Arch Dustbin: 0wning Arch: Why Package Signing Is Important (no, I am not the author of that thread, despite Misfit’s allegations – perhaps the intelligence of the post fooled you, but you would do well not to make unfounded statements about my posting under false names – I have no need to do so) [reprint]
and more – lots of places to discuss this and anything else about Arch forbidden here.
UPDATE: My Move From Arch To Aptosid