Chain of trust
There is a lot of talk about secure boot recently – mostly because of the windows 8 certification requirements. Secure boot gives makes it harder (but not impossible) for malware such as rootkits to start at boot time and then control the operating system. It creates a chain of trust from the hardware to the bootloader to the operating system, so criminals cannot break that chain.
However, if we want to protect open source software against criminals there is a different chain of trust that we need to protect: the chain from upstream developers to the end-user. There are quite a few bits and pieces in place already, but some essential parts are missing. In august 2009, for example, the web server from the squirrelmail webmail project was hacked, and two plugins were compromised with malware. It was lucky that the hack was discovered very quickly so little harm was done, but that could have been much worse.
Most open source projects use a version control system for their source code that involves some form of crypto authentication. Some very basic, like a login over ssh to a subversion or cvs server, other require every patch to be signed with a PGP key. Most distributions use some form of signing to protect the integrity of their packages. But the step from upstream development to the distribution is often not secured at all. Many upstream developers offer a md5 or sha1 sum of the downloads – but hey, once the criminals hack your webserver, they can change both the md5 and the tarball with the source code!
So what should we do?
If all upstream developers would sign their releases with PGP, and distributions should check if the source tarball is correctly signed, and signed with a trusted key, it would be much harder for criminals to interfere with this step. The level of trust could be very minimal (just check if the source tarball is signed with the same key as the previous time we downloaded the package) or very high (require a web of trust where keys have to signed after an official government issued ID has been checked such as Debian requires), just depending on the importance of the package.
Bluefish source tarballs have been PGP signed for a while already. Now it’s time for the distributions to automatically check these signatures when building a package.