Contributed by jason on from the check-your-sums dept.
Bob Beck (beck@) warns users about a site carrying unofficial 4.5 sets.
Read on for the full mail...
List: openbsd-security-announce Subject: [deraadt@cvs.openbsd.org: Re: I would like to send this to misc@ From: Bob BeckDate: 2009-04-30 17:21:50 Users are cautioned about rogue ftp sites claiming to have OpenBSD. The best place to get OpenBSD is from an official CD set, produced in a secured location It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. While we have no problem with anyone mirroring OpenBSD for the good of the user community, we do believe that people who offer up the wrong thing are being deceptive and will hurt the userbase - particularly when the packages being offered up are not the release versions. please ensure you look at http://www.openbsd.org/ftp.html when choosing to do an ftp install, and don't be fooled by someone "phishing" for your ftp traffic.
(Comments are closed)
By Daniel Kluge (2a01:198:215:1337:21e:c2ff:fe12:bea6) dkluge@acm.org on
At this time it looks like ftp://ftp.eu.openbsd.org/ (which is an official 2nd level mirror) carries exactly the same files as ftp://ftp.kd85.com/ does, so the above is just plain FUD!
Comments
By Bob Beck (129.128.11.43) beck@openbsd.org on
>
> At this time it looks like ftp://ftp.eu.openbsd.org/ (which is an official 2nd level mirror) carries exactly the same files as ftp://ftp.kd85.com/ does, so the above is just plain FUD!
>
>
>
Bullshit. You didn't even look before saying this.
Some of the packages in the package directory purporting to be 4.5
on ftp.kd85.com are almost a month out of date. (example, packages/arm)
and god knows what else.
This is not Theo vs. Wim backstabbing. This is about users getting fucked over by a rogue ftp site operator.
I don't know what to call the operator of an ftp site putting up an old snapshot as something it's not. You guys can all decide,
because it had to be done deliberately. So then me warning the users about this is backstabbing? You have an interesting notion of that.
anyone who feels backstabbed by me warning them that if they install from there they risk getting crap on a pkg_add can hate me. If you
appreciate the heads up you can buy me a beer.
Theo didn't send that note. I did, when I checked the mirrors this morning prior to the release announcement. A rogue ftp site is a serious security issue, and users must know about it, even if god forbid it might hurt someone's feelings. Not my fault, I didn't move
a "4.5" direcotry into place on that site this morning.
Most OpenBSD users would probably want to know of someone was serving up something claming to be 4.5 that isn't.
But maybe I'm wrong, in which case they are free to ignore my warning and install whatever they like.
Comments
By Daniel Kluge (2a01:198:215:1337:21e:c2ff:fe12:bea6) dkluge@acm.org on
> >
> > At this time it looks like ftp://ftp.eu.openbsd.org/ (which is an official 2nd level mirror) carries exactly the same files as ftp://ftp.kd85.com/ does, so the above is just plain FUD!
> >
> >
> >
> Bullshit. You didn't even look before saying this.
>
Bullshit yourself, I looked at two different official mirrors and kd85.com, because all the timestamps looked the same. So I downloaded the MD5 files of the i386 release and they were identical.
> Some of the packages in the package directory purporting to be 4.5
> on ftp.kd85.com are almost a month out of date. (example, packages/arm)
> and god knows what else.
>
Great analysis, but yes most of the packages seem to be not in sync.
> This is not Theo vs. Wim backstabbing. This is about users getting fucked over by a rogue ftp site operator.
>
> I don't know what to call the operator of an ftp site putting up an old snapshot as something it's not. You guys can all decide,
> because it had to be done deliberately. So then me warning the users about this is backstabbing? You have an interesting notion of that.
> anyone who feels backstabbed by me warning them that if they install from there they risk getting crap on a pkg_add can hate me. If you
> appreciate the heads up you can buy me a beer.
>
Sorry I still don't buy that.
There is a problem with one FTP server, that doesn't have the correct files you could have said that straight, and not this general security warning type of thing.
And yes I found it peculiar as well, that I get an email from Wim for the downloads on ftp.kd85.com before the official announcement.
Comments
By Theo de Raadt (199.185.137.1) on
A random ftp server, owned by a guy who WILL NOT sell our stuff anymore in the future because he won't be sold it by us because he is that far in debt, AND who attempted to steal the donation money (we have some of it now), also stole VAT from the government by invoicing things against the donations (quite obviously illegal), and was years behind in paying for the CDs because he tricked us into disappearing our profits... yeah, you should download from his ftp server, even though we did not give him the 65GB of data for the release, yet somehow WONDERS OF WONDERS, he managed to release it before ... EVEN WE DID! Oh but look, that is because it is a mismash of new and old data that is still being syncronized even as we speak.
For sure! Enjoy! Whatever it takes for to make you and your throw-away IP address happy!
However, I am positive that there are many people who are very happy to know that FTP server is flawed. Is it rogue? I have no idea. Is it official? No. Does it have some files that are wrong? Yes. Is it to be trusted? We informed our users so that they can decide.
It is wrong for us to inform our users? No, Bob did the right thing.
Comments
By Anonymous Coward (194.78.205.247) on
By Daniel Kluge (2a01:198:215:1337:21e:c2ff:fe12:bea6) dkluge@acm.org on
>
No, but clearly separating fact from speculation, as you did so concise below would have been so much better.
> A random ftp server, owned by a guy who WILL NOT sell our stuff anymore in the future because he won't be sold it by us because he is that far in debt, AND who attempted to steal the donation money (we have some of it now), also stole VAT from the government by invoicing things against the donations (quite obviously illegal), and was years behind in paying for the CDs because he tricked us into disappearing our profits...
>
So you you distrust him because of your financial dispute, I would ask some questions to on motive on that server too. But I'm not party to that dispute so I don't.
>yeah, you should download from his ftp server, even though we did not give him the 65GB of data for the release, yet somehow WONDERS OF WONDERS, he managed to release it before ... EVEN WE DID! Oh but look, that is because it is a mismash of new and old data that is still being syncronized even as we speak.
>
And yet, I still cannot find anything wrong with his mirror of the release. Yes there are some things missing, but so are half of all packages from the local (official) mirror here.
I cannot see anything which corroborates the accusation that there are or were files on his mirror which don't belong in the release tree.
> For sure! Enjoy! Whatever it takes for to make you and your throw-away IP address happy!
>
Cute.
> However, I am positive that there are many people who are very happy to know that FTP server is flawed. Is it rogue? I have no idea. Is it official? No. Does it have some files that are wrong? Yes. Is it to be trusted? We informed our users so that they can decide.
>
Apart from the wrong claim I totally agree.
> It is wrong for us to inform our users? No, Bob did the right thing.
He did the right thing of informing that this is a rouge server, which is not coordinated or controlled by the OpenBSD project, and did get the release through different channels. Any other accusations or insinuations I feel are not appropriate in such a message, or in this discussion.
-daniel
By Anonymous Coward (84.245.24.117) on
or could you disprove his story?
http://accounting.kd85.com/
for the rest unofficial == unofficial.
it's only a pity you take the guy who is in disagreement with you....
(keep it general or provide a list )
i would just like you guy to resolve the argument
(maybe naive but so it was taught by my mother )
Comments
By Anonymous Coward (85.19.213.88) on
> or could you disprove his story?
> http://accounting.kd85.com/
>
> for the rest unofficial == unofficial.
> it's only a pity you take the guy who is in disagreement with you....
> (keep it general or provide a list )
>
> i would just like you guy to resolve the argument
> (maybe naive but so it was taught by my mother )
This has been discussed to death at misc@ already. Check the
archives if you're curious.
Comments
By Anonymous Coward (84.245.24.117) on
> > or could you disprove his story?
> > http://accounting.kd85.com/
> >
> > for the rest unofficial == unofficial.
> > it's only a pity you take the guy who is in disagreement with you....
> > (keep it general or provide a list )
> >
> > i would just like you guy to resolve the argument
> > (maybe naive but so it was taught by my mother )
>
> This has been discussed to death at misc@ already. Check the
> archives if you're curious.
>
that would have become a mail bomb entering my mailbox. :)
i don't enlist for misc because of the 'junk' coming from it
Comments
By jkm (2001:16d8:cc17:10:4c94:339e:bdc9:39a4) on
>
> that would have become a mail bomb entering my mailbox. :)
> i don't enlist for misc because of the 'junk' coming from it
>
There are web archives you know. And there even is a mail client which suck less.
/jkm
Comments
By Anonymous Coward (84.245.2.191) on
> > i don't enlist for misc because of the 'junk' coming from it
> >
>
> There are web archives you know. And there even is a mail client which suck less.
Agreed... try outlook.
By Janne Johansson (jj) on .
> > > At this time it looks like ftp://ftp.eu.openbsd.org/ (which is an official 2nd level mirror) carries exactly the same files as ftp://ftp.kd85.com/ does, so the above is just plain FUD!
> > >
> > Bullshit. You didn't even look before saying this.
> Bullshit yourself, I looked at two different official mirrors and kd85.com, because all the timestamps looked the same. So I downloaded the MD5 files of the i386 release and they were identical.
>
> > Some of the packages in the package directory purporting to be 4.5
> > on ftp.kd85.com are almost a month out of date. (example, packages/arm)
> > and god knows what else.
>
> Great analysis, but yes most of the packages seem to be not in sync.
Being the admin of the second level mirror mentioned above, I can also add that posting releasedirs is not in any way "keep a snapshot and rename at the correct time", so for the coordinated release (which you would need to be on, in order to be able to release at the date he did), you'd be DLing the lot, then putting it up for DL all in one swoop.
It would be a far louder outcry if we didn't point out that some users close to that ftp get other files than the rest. Really.
By Cindy (64.42.213.4) on
> >
> > At this time it looks like ftp://ftp.eu.openbsd.org/ (which is an official 2nd level mirror) carries exactly the same files as ftp://ftp.kd85.com/ does, so the above is just plain FUD!
> >
> >
> >
> Bullshit. You didn't even look before saying this.
>
> Some of the packages in the package directory purporting to be 4.5
> on ftp.kd85.com are almost a month out of date. (example, packages/arm)
> and god knows what else.
>
> This is not Theo vs. Wim backstabbing. This is about users getting fucked over by a rogue ftp site operator.
>
> I don't know what to call the operator of an ftp site putting up an old snapshot as something it's not. You guys can all decide,
> because it had to be done deliberately. So then me warning the users about this is backstabbing? You have an interesting notion of that.
> anyone who feels backstabbed by me warning them that if they install from there they risk getting crap on a pkg_add can hate me. If you
> appreciate the heads up you can buy me a beer.
>
> Theo didn't send that note. I did, when I checked the mirrors this morning prior to the release announcement. A rogue ftp site is a serious security issue, and users must know about it, even if god forbid it might hurt someone's feelings. Not my fault, I didn't move
> a "4.5" direcotry into place on that site this morning.
>
> Most OpenBSD users would probably want to know of someone was serving up something claming to be 4.5 that isn't.
>
> But maybe I'm wrong, in which case they are free to ignore my warning and install whatever they like.
>
>
Bob,
In case no one says thank you for posting your warning, Thank you.
If that site wants to correct the issue, they can re-add the files, and post their own message in response.
But, if the site does not post the correct files, than your warning was required.
Everyone should remember OpenBSD is a product made by a few, supported by a few, but made for everyone. With that said, those who make the product, has the right to post any warning they feel fit.
Once again, thank you.
Cindy
Comments
By Anonymous Coward (118.208.110.141) on
>
> Once again, thank you.
>
> Cindy
I second that.
A big Thank You to the OpenBSD team.
JN
By Bob Beck (129.128.11.43) beck@openbsd.org on
Before all the crybabys whine to me about this being a Wim versus Theo thing, it's not.
I watch the release process from the master fanout site, and I check the
mirrors before we send the release anno. ftp.kd85.com made that directory appear before any of the official 2nd level mirrors did, and
it's obvious what it is.. snapshots.
ftp.kd85.com contains at this time some packages that are almost a month out of date - packages/arm is an example.
Since someone in charge of that site obviously felt it would be a good idea to move a late snapshot into place as 4.5, I felt it prudent to warn users about that. If you install packages from there you will get fucked.
So, install from there if you want. You decide who you trust. Obviously the site maintainer has the best interests of the OpenBSD community at heart, and me telling the user community about a rogue site is just petty.
Comments
By sthen@ (2a01:348:108:155:216:41ff:fe53:6a45) on
it's slightly more peculiar than that actually; a bunch of these are dated before they were even *built*, let alone copied out to ftp...
By Daniel Kluge (2a01:198:215:1337:21e:c2ff:fe12:bea6) dkluge@acm.org on
> ftp.kd85.com contains at this time some packages that are almost a month out of date - packages/arm is an example.
>
Can you point out a package, which is actually different than what's on the official OpenBSD site?
> Since someone in charge of that site obviously felt it would be a good idea to move a late snapshot into place as 4.5, I felt it prudent to warn users about that. If you install packages from there you will get fucked.
>
> So, install from there if you want. You decide who you trust. Obviously the site maintainer has the best interests of the OpenBSD community at heart, and me telling the user community about a rogue site is just petty.
>
You might run into problems installing from that site, but it's not because the packages are different binaries than the official ones.
But what do I know, I just diffed the site against an official mirror....
Facts please....
-daniel
Comments
By Daniel Kluge (2a01:198:215:1337:21e:c2ff:fe12:bea6) dkluge@acm.org on
>
> wow, that was pretty fast going downloading and diffing two copies of 65GB of files, the release was only a couple of hours ago.
My connection is unfortunately not that fast, so I diffed the output of ls -lR (ignoring dates) and I've downloaded some packages and could not find any differences to the 2nd level mirrors.
There were some things missing, but no real differences.
But I'm sure someone cleverer than me finds all the outdated binaries on kd85.com.
Cheers,
-daniel
Comments
By Jason Meltzer (129.128.11.8) on
> >
> > wow, that was pretty fast going downloading and diffing two copies of 65GB of files, the release was only a couple of hours ago.
>
> My connection is unfortunately not that fast, so I diffed the output of ls -lR (ignoring dates) and I've downloaded some packages and could not find any differences to the 2nd level mirrors.
You didn't do a meaningful 'diff' of anything then. This isn't about
the package names matching up, actually, it IS about the dates in
certain regards. Go read the announcement again.
> There were some things missing, but no real differences.
Differences like the packages not actually being 4.5-release? Huge
material difference... beyond mentioning the fact that someone had
to intentionally move the packages into the 4.5 directory, i.e. not
a silly oversight.
> But I'm sure someone cleverer than me finds all the outdated binaries on kd85.com.
Why bother, the mirror is tainted. What kind of clueless idiot
downloads a release from a dodgy mirror.
-Jason
By Anonymous Coward (59.167.252.29) on
Wow, you're happy with testing the integrity of files based on file listings? And you are willing to extend that to the point of using it as a basis for argument?
I wouldn't go accusing long time trusted insiders of using FUD when all I have to base my accusation on is "looks like".
By jason (jason) on http://www.dixongroup.net/
Get over it. We're blocking one individual for abuse. If you don't like it, go somewhere else.
Comments
By tedu (udet) on
> >
> > Get over it. We're blocking one individual for abuse. If you don't like it, go somewhere else.
>
> For me it looks more then he made a valid point of critism.
> You practise censorship.
>
> So will I get banned too if I ask something critical?
http://icanhascheezburger.com/2007/08/23/call-mah-lawyurrz/
By Bob Beck (96.52.0.247) beck@openbsd.org on
>
> Get over it. We're blocking one individual for abuse. If you don't like it, go somewhere else.
What? you removed that juvenille sebastien-rother-esque blather from that obvoiusly credible person posting from a TOR router addres? I saw it earlier and was looking forward to replying to it after I had nothing better to do.. Now it's gone.. so when I'm old enough that my dick won't get hard in my hand anymore I'll have nothing at all to do! I'll die of boredom crapping in my own diaper instead of feeding the trolls! Damn you jason!!!
By Anonymous Coward (149.254.56.88) on
>
> Get over it. We're blocking one individual for abuse.
I must say that I really like the slashcode feature where a mod down removes the comment from sight but not from storage. I do not think deleting comments altogether (as it seems is happening) is a good idea.
> If you don't like it, go somewhere else.
Remember that straw that broke the camels back was but a single straw. Be careful when you are adding straws..
In other news, it is World Naked Gardening Day today, I suggest we all go outside and get some sunshine!!
By farlies (69.180.189.67) farlies@gmail.com on
Comments
By Bob Beck (129.128.11.43) beck@openbsd.org on
>
>
All of these require infrastructure - this costs money.
Having said that, wait for 4.6 :)
Comments
By Anonymous Coward (84.137.197.32) on
> >
> >
>
> All of these require infrastructure - this costs money.
>
> Having said that, wait for 4.6 :)
>
In my earlier, apparently censored, comment I politely pointed out that cryptographically signing the release .iso and .tgz files can be done by a trivial combination of sha256sum and gpg and asked why the OpenBSD release procedure doesn't include this step which is pretty much standard elsewhere.
This is a real issue that is affecting users regardless of the current issue with the mirror mentioned above. Without signatures there is no way to verify the authenticity of the release files one has downloaded.
I would like to add that this also applies to the CD sets. The chain of people a CD goes through from the release build to me receiving it is far too long to say anything other than "It's got an OpenBSD logo on it, it might have the right content".
I welcome the effort the OpenBSD team puts into security and I thank you guys for the great OS that you provide us with, but the lack of cryptographical signatures on the release files leaves a huge gap that could be closed so easily.
I urge the powers that be to look into providing a solution not just for 4.6. It's really simple, directly helps users, enables the use of OpenBSD in places where verification of installation media is a must, and it can be provided now, for 4.5.
Thanks in advance for any effort you put into this. I'm looking forward to it.
Cheers,
[an otherwise happy OpenBSD user]
Comments
By Anonymous Coward (68.151.45.105) on
By Marc Espie (213.41.185.88) espie@openbsd.org on
We are aware of that paper.
The issue is definitely not technical in nature, it's a process issue.
Comments
By Dylan Cochran (69.251.126.57) on
>
> We are aware of that paper.
>
> The issue is definitely not technical in nature, it's a process issue.
>
Yes, many people forget that a secure system requires a policy, and a mechanism to implement that policy. The paper itself is laughable, because he is reading into the policy the signatures are enforcing (a method of build source verification for distribution purposes) and then extrapolating attacks for policies it is not enforcing, such as providing only recent 'secure' package sets.
Unfortunately, people automatically assume that if a signature or verification mechanism of any kind exists, it must enforce all possible policies.
* It must mean that the packages contain fully audited binaries that contain zero malicious or potentially dangerous code.
* It must mean that the packages are completely up to date and secure.
* It must mean that the packages contain no extra commands in the +CONTENTS that add extra users to the system.
* It must mean that the package when installed, whitens your teeth.
* It must mean that the package will cure cancer in any person who gets within 10 meters of the destination machine.
When really, it just means that the package was built on the OpenBSD machines intended to build those packages, according to whatever public key was stored on the tarballs you used to install.
Just because you want signatures to mean mirrors can't provide old package sets, does not make it their policy to do so, and that they are at fault for not providing it. If I want OpenBSD to install KDE by default and use a fluorescent pink troll doll background, that does not mean OpenBSD developers are completely incompetent who can't do that simple task.
It just means I need psychiatric help. :)
By tedu (udet) on
Did you mean to ask ?
By Floor Terra (24.132.209.102) floort@gmail.com on
Yes, I know I did and probably most of the early European pre-orders went through kd85.com too.
Comments
By sickness (94.36.67.204) on http://www.sickness.it
>
> Yes, I know I did and probably most of the early European pre-orders went through kd85.com too.
>
>
I've preordered on www.openbsd.org but I'm in europe so the site always made (automatically) the order through kd85, in previous years I've always received the preorder long before the release date, this year It's May the 1st and I'm still waiting...
Comments
By Anonymous Coward (94.23.54.164) on
> >
> > Yes, I know I did and probably most of the early European pre-orders went through kd85.com too.
> >
> >
>
> I've preordered on www.openbsd.org but I'm in europe so the site always made (automatically) the order through kd85, in previous years I've always received the preorder long before the release date, this year It's May the 1st and I'm still waiting...
Theo boycots him to destroy his reputation.
Stay tuned... it will be there soon I'm sure.
By Anonymous Coward (84.197.83.56) on
> >
> > Yes, I know I did and probably most of the early European pre-orders went through kd85.com too.
> >
> >
>
> I've preordered on www.openbsd.org but I'm in europe so the site always made (automatically) the order through kd85, in previous years I've always received the preorder long before the release date, this year It's May the 1st and I'm still waiting...
I've always had good dealings with Wim, and tend to believe his side of the story until things are proven otherwise. History just gives the impression it's all to easy for people to fall out of grace with Theo (no offence intended here - this is just my impression as an outsider).
Maybe people will turn away from OpenBSD for just one fight too many.
Just my 2c.
Peter.
Comments
By Anonymous Coward (128.171.90.200) on
> > >
> > > Yes, I know I did and probably most of the early European pre-orders went through kd85.com too.
> > >
> > >
> >
> > I've preordered on www.openbsd.org but I'm in europe so the site always made (automatically) the order through kd85, in previous years I've always received the preorder long before the release date, this year It's May the 1st and I'm still waiting...
>
> I've always had good dealings with Wim, and tend to believe his side of the story until things are proven otherwise. History just gives the impression it's all to easy for people to fall out of grace with Theo (no offence intended here - this is just my impression as an outsider).
>
> Maybe people will turn away from OpenBSD for just one fight too many.
I've dealt with Wim many a time and have a lot of respect for him. This is the first I've heard about the dispute. It should be pointed out that the mirrors have snapshots in place of releases, that is the right thing to do. I agree though that this may be one fight too many, I have agreed with OpenBSD's stance in many of the public arguments, because most times they are right, but I have no reason to doubt Wim.
Now to read the misc@ archives.
By Anonymous Coward (66.42.176.224) on
Glad OpenBSD monitors and reports on its stuff.
It is a good thing that Gnupg 1.4.9 is in pkg on cd, for 4.5. 4.4, and 4.3 missed it.
4.5 has lots of little extras, systat is now filled with goodies.
By Anonymous Coward (76.24.20.147) on
By sepp0 (sepp0) sepp0@openbsderos.org on http://www.openbsderos.org