The chain of trust from developer to end-user

In open source, security on July 29, 2010 by oli4444

Cyber-crime is rising. Open source software is slowly becoming more mainstream. And thus cyber-criminals will more and more try to target open source software users.

One of the weak paths in software security is the distribution path from developer to the end user. But this is often quite different for open source users compared to proprietary software. There are big advantages, but also some big disadvantages.

The author/maintainer creates a release, and uploads it to the download server. Then………??????? And in the end an end-user is running a binary on his/her system. Notice the ??????! What happens on the download server? There have been examples where open source software was hacked on the download server (for example squirrelmail had a serious issue). And do you trust all of the mirrors? Can you trust the packager? Do you know who the packager is? Do you trust the download server from the packager?

Several Linux distributions do good work already. Debian and Ubuntu sign their distribution lists. So once the user trusts the distribution key, and the process that keeps the key secure, the path from Linux distribution to their own system is quite secure. This is a tremendous advantage compared to the situation on the average windows machine. But is it good enough? The path from authors/maintainers to the Linux distributions is not always signed with keys. Some developers do sign all their release, but are the signatures checked by the distribution packagers?

Sharpen up before the cyber-criminals get to you!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: