siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.94k stars 559 forks source link

[Security] Add canary statement #8710

Open cchexcode opened 6 months ago

cchexcode commented 6 months ago

Feature Request

As an operating system, talos linux is a critical part of the system if used for production workloads. As that, it is important to verify the integrity of the system (and developers). With that being said, I suggest the following changes to increase security for this amazing piece of software.

Asset checksums

I suggest that we're adding checksums to the asset downloads on the release page. This can be used to verify that a downloaded file has not tampered with in transit. This is generally a best practice when downloading critical software and prevents a range of attacks that could compromise the asset.

Canary

In order to increase trust in Talos linux, I suggest that siderolabs adds a canary statement to verify that a release does not contain a backdoor or other types of desired malware. In the many countries, law enforcement can seize property (like Talos as IP) and modify / redistribute it with backdoors. They can require you to not speak out but can't require you to take certain actions (such as signing with a PGP key etc). Long story short, I think a critical piece of infrastructure such as an OS should provide a canary statement that no such incident took place. Wh0nix is such an example, providing a canary incl. recent headlines to prove it's recent.

smira commented 6 months ago

Most critical release assets are reproducible, so you can build it yourself from source and compare to the released assets. This provides better protection/trust than any other measures.

The reproducible assets are:

Every other asset can be produced from the above.

steverfrancis commented 6 months ago

There are sha256sum.txt

sha512sum.txt published with every release - are those not the checksums you mean?

cchexcode commented 6 months ago

@steverfrancis yes correct - I must've missed these three times while looking through the list. Excellent!