Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Curt Sampson <cjs@cynic.net>
List: tech-security
Date: 07/25/2005 11:55:41
On Sat, 23 Jul 2005, Steven M. Bellovin wrote:

>> It doesn't seem hard to produce a warning or an error if there are any
>> files in the archive not listed in the signature document, outside of
>> the signature document itself.
>
> It's not a warning, it's a flat-out error.  Think of, say, /root/.profile
> or /etc/shosts being in the archive.

Ok.

>> Duplicate entries?
>>
>> If there are two files with the same name in the archive, the later
>> would be extracted over the earlier, anyway. Either they are the same
>> file, then, in which case we check twice and both pass, or they are
>> different, in which case one will fail the check, which can be treated
>> as any other failure.
>
> Will the later be extracted over the earlier?  I've seen extraction
> programs that refuse to overwrite existing files.  Or what if the
> verification against the hash is done at extraction time?

I think you'd definitely want to verify all of the files hashes before
extraction, so you don't do a partial extraction of a corrupt archive.
As for whether you extract the second copy and overwrite the first, if
they're the same file, it ought not matter; if they're different, the
hash check will fail.

> It's as strong *if* you've defined all the cases properly.  The
> examples I've given are places where a straight-forward approach just
> doesn't cut it; it's not well-enough defined.

Ok; so we do need to define this clearly. I'll write up something at
some point and we can give it a good going-over.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA