3

One of the purported advantages of open-source software is that in being so, it allows for multiple eyes on the code, and enables faster resolution of bugs. I think, also implied is an assurance about there not being any intentional security loop-holes in it.

Now, is that necessarily true? If I look at this in the context of GNU/Linux, you receive signed binaries from your favorite disto (even if source, you obviously don't have enough time to go through it all before installing). Isn't this flawed in terms of 'authenticity' of software?

Is there any way of implementing a security structure where code stays on a openly accessible platform where from you can calculate checksums to compare with what you got? Can this procedure be automated? Isn't such a procedure required?

INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
physkets
  • 31
  • 4
  • 2
    Sounds like the term you're looking for is "deterministic builds". – Ajedi32 Nov 08 '16 at 14:48
  • This looks like a duplicate of [this](https://security.stackexchange.com/questions/41734/trust-issues-relative-to-open-source). But I think it fails to address my concerns. – physkets Nov 08 '16 at 14:54
  • @Ajedi32 That would be nice, but I think a softer requirement like comparison of a checksum of a downloaded binary is sufficient for this. – physkets Nov 08 '16 at 14:58
  • 1
    Comparison with what? That just moves the problem from "do I trust this binary" to "do I trust this hash"? – Ajedi32 Nov 08 '16 at 15:03
  • @Ajedi32 true, so then a simple solution is only possible for source based distros where they can compare hashes of what they got with those computed in real time from those sitting in an open repository. – physkets Nov 08 '16 at 15:13
  • I'm still not really sure what you mean by "an open repository". Do you mean a public server you can download the binaries from? – Ajedi32 Nov 08 '16 at 15:15
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/48177/discussion-between-physkets-and-ajedi32). – physkets Nov 08 '16 at 15:19
  • Another thing you'll want to consider is if the code you're using will come under any auditing or compliance scrutiny. Good luck getting an auditor to sign off on some open source software (it can be done, but it's a pain). – cyb3ard Nov 08 '16 at 19:59

2 Answers2

2

No
Open source means source code is publicly available. Unless you download the source code and build an executable yourself, you can't be sure that your binary is built from exactly the same code as what you saw.
As mentioned in the comments, having a public server where you can download the software and verify it's checksum just changes the trusted property of a download. And mind you, checksums are not trustworthy: Mint was hacked

One of the purported advantages of open-source software is that in being so, it allows for multiple eyes on the code, and enables faster resolution of bugs. I think, also implied is an assurance about there not being any intentional security loop-holes in it.

There are multiple variants of open source which vary in the degree of openness and trust. I say this because it is relevant to your point on quick fixes.

  1. Internal open source
    Internal open source usually means that there is a library that is being developed by multiple teams across an organization. Every member of that organization has access to the code but people outside the org don't. Since these libraries are usually critical to the organization's development, they get a quick resolution.

  2. Pure open source
    These are tools like Linux mint/Ubuntu etc. Here everyone gets to see the sourcecode but you don't always get quick resolutions. So if you find a security bug in an open source tool that you are using, you probably fix the bug yourself and update the changes upstream. You can't really trust for it to have no intentional security loop-holes. There can be some if the developers of the system intended to do so.

Limit
  • 3,191
  • 1
  • 16
  • 35
  • As I said it the comments, it is true that implementing this for a binary-based distro would be hard. But think of a source-based distro. In that case, isn't this possible, and maybe necessary? – physkets Nov 08 '16 at 16:39
  • @physkets If the open source code is hosted by git, you should get the latest snapshot of the code anyway. – Limit Nov 08 '16 at 16:53
  • I'll be using the packages that the distro supplies because I wouldn't want to deal with compatibility issues and updating. So if we had a system where we could ensure that what we got is what is visible to everyone, would improve security. – physkets Nov 09 '16 at 04:01
  • @physkets please explain the following things: 1. What do you mean by packages? The executable binaries? 2. What do you mean by source based distro? – Limit Nov 09 '16 at 04:03
  • I mean a distro like Gentoo, and the packages are what ever the distro offers through its package management system. – physkets Nov 10 '16 at 10:54
  • If you download a package from a package management system, don't you think that it is what is visible to the system? Plus, IIRC package managers do an integrity check of the packages that they downloaded – Limit Nov 10 '16 at 13:57
  • Yes, but what if the distro is itself compromised? – physkets Nov 10 '16 at 14:09
  • That would be the case when the attackers hack into the distribution centers like they did in the case of mint. The thing is, having a standalone website would mean the attacker would target the standalone website instead of the distro. The solution that you can instead think of is have multiple secure locations where you store the copies and validate the checksum with all of them – Limit Nov 10 '16 at 14:15
  • Sure.. that would be nice, ut an important part of the measure is visibility of the exact code that is being checked against, so that any mods made by the distro are also visible. – physkets Nov 11 '16 at 07:57
0

One of the purported advantages of open-source software is that in being so, it allows for multiple eyes on the code, and enables faster resolution of bugs. I think, also implied is an assurance about there not being any intentional security loop-holes in it.

Now, is that necessarily true?

Not at all. The implication is that if someone intentionally introduces a vulnerability,

  1. At least one person will look at the change, either before or after it goes into the accepted version of the software,
  2. At least one of those persons who look at the change will notice the vulernability, and
  3. At least one of those persons who look at the change and notice the vulnerability are not compromised and will bring up the issue.

Open-source licenses, and more importantly, the software development processes common in open-source software development, makes it more likely all of these conditions are true. However, it does not guarantee any of them, which is particularly evident in smaller projects with only a single primary author.

From a security perspective, the advantage of open-source software is that it allows you to guarantee assertions 1 and 3 by doing an audit yourself.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • Okay, so I am contending that even that much security is lost due to lack of authenticity because we get software through distros, and not the original 'repository'. If a distro is compromised, there is no way of knowing, because the source that they use is not available anywhere. – physkets Nov 10 '16 at 10:57
  • Your question then isn't about open source, but about package management. – Xiong Chiamiov Nov 10 '16 at 23:44
  • True... I meantion open-source because that is an essential part of it; that it must be possible to check against the exact source that is distributed, which in turn, must be openly accessible. – physkets Nov 11 '16 at 07:59