Question on Kyber Encryption (Key Gen)

[Jakob Bohm]

On 10/29/2024 10:05 AM, Werner Koch via Gnupg-users wrote:
> Hi!
>
> you should really set aside problems wit the distribution and use the
> speedo variant to build eberthing.  This is somewhat similar to an
> AppImage.  From the README:
>
>    To quickly build all required software without installing it, the
>    Speedo target may be used:
>
>      make -f build-aux/speedo.mk native
>
>    This target downloads all required libraries and does a native build
>    of GnuPG to PLAY/inst/.  GNU make and the patchelf tool are
>    required.  After the build the entire software including all
>    libraries can be installed into an arbitrary location using for
>    example:
>
>      make -f build-aux/speedo.mk install SYSROOT=/usr/local/gnupg26
THIS IS BAD!  It is the make-based version of the memed "download and
run random code from the internet" instructions that security-ignorant
teams keep posting as their "Linux" install instructions.  The
semi-embedded "buildroot" project did the same years ago .

Unless the speedo make target actively checks each download against a
strong hash stored in the initial gnupg tarball, this exposes the
user/dev to all manner of supply chain attacks by running unvetted
build scripts and other code from whomever hijacks any one of the
various upstream URLs.

Systemd blindly loading random 3rd party decompression libraries into
all compatible demon processes was similarly exploited this year by
someone invading one of the compression projects.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded