5

To install Sublime, it wants me to add a GPG key and a sources.list entry so that apt-get can find it. A couple of other programs have asked for the same. Why isn't it a security risk to add more domains to sources.list?

That is: suppose package A is supposed to come from host B. I add host C in a new sources.list. Host C gets subverted, an attacker hosts a malicious package and calls it A. Next time I try to update A, apt-get checks the sources and decides to download it from C instead of B, and I get the malicious version.

jwodder
  • 448
Sam Jaques
  • 171

1 Answers1

15

The answer: It is.

It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:

  1. get access to the server where the binaries are being served from
  2. get access to the private GPG key that was used to sign the binaries
  3. package new versions of compromised binaries, sign them, and then put on server

In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.

And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.

Previous Attacks

Tips

  • Always scrutinize URLs and make sure they are legit
  • Don't add repos unless you absolutely need a package from them
  • Periodically vet your sources.list
  • Periodically vet the GPG keys used by sites to sign packages
  • Be diligent about staying up to date on packages
slm
  • 369,824
  • 2
    Along with periodically vetting sources.list (and sources.list.d/*, I’d recommend periodically vetting the installed keys. – Stephen Kitt Aug 04 '18 at 17:34
  • @StephenKitt - excellent point, I'll add it. – slm Aug 04 '18 at 17:34
  • Also, make use of the Signed-By attribute to place restrictions upon keys rather than adding them globally. – JdeBP Aug 04 '18 at 19:03
  • By "vet your sources.list", you mean to look through it and remove anything I don't need anymore? – Sam Jaques Aug 04 '18 at 20:36
  • 1
    @SamJaques yeah eliminate anything you no longer need but more importantly make sure the URLs remain legit. – slm Aug 04 '18 at 21:11
  • The AUR "attack" is different, since packages (or rather, scripts for building packages) there are uploaded by users without any verification. And instructions recommend reading the build script before using it. So it's not really that much different from "someone uploads virus on their own GitHub account". – Ian D. Scott Aug 05 '18 at 16:05
  • More details are now at https://unix.stackexchange.com/a/463140/5132 . – JdeBP Aug 17 '18 at 09:19