Weblog

I would like to respond to a post by Chris Wadge about the security of his Hiawatha Debian packages.

In his post he said he has received several questions about the security of the Hiawatha Debian packages he has made available. Although he thinks those are valid questions, I think they are a bit weird. Questions like 'Are your packages secure?' are pointless, because would you ever expect to get 'no' for an answer?

Let me first explain a bit more about security and trust. Security begins where trust ends. I trust my wife, I trust my family, I trust my friends. Of course, my wife has a key to our home, but without any doubt I would give the key to our home to any family member or a friend if it was needed in any situation. There is no need for me to take any security measures. Trust is needed to make life easier. Of course, I don't give the key to our home to a complete stranger, because I can't trust them. That's where security starts.

If you think about this a bit more, you might wonder why I don't give all my friends a key to my home. I trust them, right? Yes, I do trust them completely, but I don't trust Murphy and his law, I don't trust 'bad luck' and I don't trust pickpockets. There is no need for them to permanently have a key to my home, so there is only risks and no benefit from that. So, again, security takes over.

Trust is mainly based on experience, your own experience or experience by other people you already trust. I trust my friends, because in the past they've shown me to be trustworthy. People who have once abused that trust are no longer my friends. I trust my friends' judgement, so there is also some form of trust towards the friends of my friends. For some things I trust them, like lending them a movie. For other things, like giving a key to my home, I don't.

Back to Chris Wadge's Debian Packages. There are two options:

  1. You decide to trust him and use his packages.
  2. You decide not to trust him (yet) and to verify the integrity of his packages (= security measure!)

The case where you find a security issue in his package, which is related to his packaging, will be clear to everybody. But what if you don't? It will require a lot of time and knowledge to completely proof that his packaging is done securely. Unless you are willing to do this for every package he releases, you will come to a point where you decide to trust him or not.

With all this in mind, I hope you understand that it's a bit weird to ask Chris Wadge about the security of his packages. I'm not going to tell whether you can trust Chris Wadge or not. That's for you to decide. All I can say is that every time we 'spoke' via e-mail, he has proven to me that he very well knows what he's talking about when it comes to IT (security) and he has always shown a very professional attitude. The rest is up to you.

Chris Wadge
4 December 2014, 10:00
Thanks for the kind words, Hugo. It's also worth noting that I'm a systems & security professional by trade, so tampering with or mishandling these packages would effectively end my credibility, and therefore my career. I'm in the US, but if NSA got to me I'd simply retire from doing these builds.

Still, the only way to truly guarantee the security of the package is to audit and subsequently build every package in your build chain, including the compiler, in a known-good environment (which has to start with binaries somewhere along the way!), on hardware that is 100% known down to the individual gates in each IC, then build Hiawatha yourself ontop of that. Of course the binaries in my packages are in no way obfuscated, so it's entirely possible to decompile them yourself and compare against the upstream source if you're paranoid, but not so paranoid that you need to make your own build environment in an underground bunker.

The above being said, I'm actually glad people are thinking about security, and wanted to know more about what my processes looked like before deciding whether to use my package. That's good diligence.
Gour
4 December 2014, 13:26
Hello Chris,

I regularly used your Hiawatha packages while running Debian (Sid), but I must say that, unfortunately, I'm no longer a Debian user - switched to openSUSE some days ago.

Still, let me thank you for your service to the community of Hiawatha users.

Sincerely,
Gour

p.s. Are you aware of openSUSE's OBS service [build.opensuse.org] service which allows one to build packages for several popular distros at once?
Frank from Germany/Berlin
18 January 2015, 16:55
Hallo Hugo, Hallo Chris!

Well said - or written for that matter.
It all boils down to being able to make an informed decision which also takes the convenience factor into account. In any case, building/Installing Hiawatha on a Debian system is very straightforward if one bothers to read Hugo's short README file.

Frank