Skip to content

git clone git://kernel.ubuntu.com/ is Not Secure #3

Description

@eviljoel

In Ubuntu kernel with grsecurity, the instructions dictate that one should clone the Ubuntu source from kernel.ubuntu.com:

git clone git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git

However, according to the git manual page, cloning a repository using the 'git' protocol is not secure:

The native transport (i.e. git:// URL) does no authentication and should be used
with caution on unsecured networks.

The the content of the download is also never verified in the Verify the digital signatures section.

According to the Ubuntu documention, there are a couple ways to obtain the Ubuntu source code. Option B seems like the most secure method for obtaining the source:

sudo apt-get source linux-image-uname -r

Alternatively, at the cost of some security, you can continue to use Option A and verify the signature on each tag. The problem with this is that each tag is signed by a different person at Canonical and it is not practical for Secure Drop users to obtain the public key of each Canonical kernel developer. This method also relies on the SHA1 signatures used by git which have known weaknesses (although the attacks are not very practical).

I recommend changing the instructions for obtaining the Ubuntu source to either use apt-get or provide instructions on verifying git tags. Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions