LWN Picks Up On Package Signing
In their latest issue, LWN.net, one of the definitive news sites providing comprehensive coverage of development, legal, commercial, and security issues related to Linux, published their article Arch Linux and (the lack of) Package Signing:
The Arch Linux user and developer community has been engulfed in sharply divisive debate recently over the issue of package signing. It started when an Arch user blogged about the distribution’s lack of package signatures, the security risk it created, and his own frustrations with the core developers’ response to the issue. The ensuing argument has since spread to include Arch’s development model and a variety of leadership questions, but the root problem remains unsolved: there is still no mechanism to verify the authenticity of “official” Arch Linux packages.
To blogger IgnorantGuru, this constitutes an unacceptable security risk. In February, he blogged about his concerns, noting that without a method for Arch users to verify that a package is unaltered, packages can be replaced with Trojan-horse-laden code.
The author, Nathan Willis, contacted me earlier this week to ask some questions, and I feel his article provides a very comprehensive review of the core issues, including the problems with Arch’s devs refusing contributions in this area and stalemating Arch’s security improvements for years. I think it’s great that LWN is reporting to their subscribers so candidly and giving this issue much needed visibility. The article concludes in part:
In the final analysis, Arch users are exposed to a security threat both by the distribution’s lack of package signing and by the core developer’s resistance to adopting it. However much the Arch “philosophy” says each user is responsible for his or her own system, IgnorantGuru is correct in his first blog post when he observes that without signatures, the distribution’s infrastructure is vulnerable to every exploit found in every other system on the path between the main project server and the user’s PC…
The ongoing discussion in the comments there is robust and also highlights some ways that Gentoo may still have vulnerabilities related to this (at least according to some), so I believe discussing these issues openly and without censorship is valuable.