kernel.org was down for weeks a while back while someone rooted around at will; kernel.org is generally considered highly secure. When I go to the PureOs repos at http://repo.pureos.net/ I see the apache2 default “It works!” page complete with instructions describing how the page should be replaced as the next step.
PureOs is a great idea, but not if no one trusts the source code or the downloadable ISO due to lack of security around its repos. It would be great if the pure os repos only accepted TLS for instance, rather than plain jane http (and no, accepting http and redirecting to https isn’t recommended); the sha256sum of the iso is provided instead of (or in addition to) the md5sum, etc.
Lastly, when I first submitted this, I got these errors:
Warning: Illegal string offset ‘errors’ in /var/www/html/wp-content/plugins/spam-destroyer/inc/class-spam-destroyer.php on line 326
Fatal error: Call to a member function add() on string in /var/www/html/wp-content/plugins/spam-destroyer/inc/class-spam-destroyer.php on line 326
That’s some serious information leakage you can (and really should) prevent. OWASP has some good primers on general security practices, and there are some other good guides out there on securing websites (which mostly remain true for repos as well).
As far as I can tell at least, the PureOS infra and repositories are separate from all that (and from each other), so that’s a start.
There’s still a fair amount of work cut out for our sysadmin to do (the problem is time and resources to do everything at once quickly). Nevertheless, if you have other security-related questions or suggestions, let us know.
I believe, for example, that it would be better for the forums to be a completely standalone thing (using Discourse perhaps) to keep it separate from the main website’s infrastructure. I added that to the wishlist for our sysadmin… just alongside “we should have a server-side global spam filtering feature” (there are loads of spam coming through email) and “the database servers should be beefier”, among other things
It’s probably much more desirable to get the line below from devlog #3 (used to try PureOS 3 alpha) changed to an HTTPS link. This key is used to verify all packages but with the line below you’re not really verifying the key itself in any way.
Will http://repo.pureos.net be available as https in the future ?
Firefox and other major web browsers will block http in the near future. Nobody will be able to access http://repo.pureos.net via a web browser. apt-transport-https IS installed in ubuntu 16.04 .
Is qtox available in the repo. I could not find it.
THANKS
I was quite shocked to see that there are no signatures available for the hashes of the releases, which IMHO any security/privacy focused OS should provide. This is for the obvious reason, that you otherwise can’t trust the system you are installing.
I don’t know how frequent the ISO builds are these days, but since it’s a rolling distro, I’m not sure the images are being built manually each day… if it’s done automatically, wouldn’t signing the ISOs be tricky or meaningless if no human is involved to certify them at upload time? But maybe I’m guessing wrong and it’s actually being done manually, @zlatan-todoric would know.
At least the PureOS website and download link are behind HTTPS, so there’s that.
Why so? If I am assuming that the servers and the developers machines are not compromised, I don’t see a problem with automating the signing as well.
However, even when assuming them all to be trusted, it doesn’t protect me against an attacker (e.g. some state-level attacker) that cracks HTTPS using its own controlled certificate authorities to issue wrong certicifates trusted by my browser and then executes the usual man-in-the-middle or man-on-the-side attack.
That is why e.g. Qubes OS, Tails, Subgraph OS, Debian, … all have signed releases. Therefore I feel much saver to install a plain debian and perhaps do some hardening myself, then to install a Pure OS, in which case I can’t even trust the installation medium.