[tor-dev] Comments on Yawning's Draft proposal for Debian
bancfc at openmailbox.org
bancfc at openmailbox.org
Sun Jun 12 14:41:57 UTC 2016
I thought the proposal [1] is well written but there is one major point
it should include:
Sometimes apt/dpkg can contain remotely exploitable bugs which s a big
risk when updates are fetched over HTTP. As it happens, anyone could
have been in a position to poison the update process and take over the
machine because of [CVE-2014-6273] in apt-get [2]. What makes
this bug crippling is that updating apt to fix it would have exposed it
to what the fix was supposed to prevent. The safest option this time was
to manually download the fixed package out of band. Updating from an
Onion Service would protect systems from any tampering/attacks at the
Exits while bringing all the usual benefits of package metadata privacy.
***
While there's been some progress to setup Debian APT Onion Services
[3][4], its still a long way away from being enabled as a safe default.
This problem along many others summarized in the Debian wiki [5] (such
as upstream patching of chatty apps that leak system information like
pip [6]) would make great talking points at the next DebConf.
[1] https://yawnbox.com/index.php/2016/05/03/draft-proposal-for-debian/
[2] http://security-tracker.debian.org/tracker/CVE-2014-6273
[3]
http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/
[4]
http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/
[5] https://wiki.debian.org/TorifyDebianServices
[6] https://lists.debian.org/debian-security/2016/05/msg00059.html
More information about the tor-dev
mailing list