So I recently heard in the news that a quite popular Linux distro that is currently a competitor to Ubuntu (Linux Mint) has been hacked. The hackers took control of their servers and infected one of the downloadable ISO.
It’s not the first time a distribution has been hacked and I really don’t blame the Linux Mint admins for that. Security is a quite complex topic and it’s even harder if you’re on the defender side. All the attacker needs to do is find a single flaw, whether it’s a plugin on the blog you’re using or something that might seem really insignificant. But the results can be really devastating even though you have taken strict security measures on the network side of things.
Anyway, what I really wanted to talk about is the important role gpg has to play in this. For example, I’ve recently made a fresh Arch Linux install from scratch. Before getting started I had to verify the integrity of the ISO that I downloaded to make sure the downloaded image is the same image that I’m supposed to receive from the server. But just verifying the integrity of the image successfully doesn’t guarantee that it is the exact image that the original authors had created. To verify that it is coming from the intended author I also had to download the signature file that came with it, receive the key from key-server and verify the signature using gpg.
This extra step of verifying the signature is something that I’ve noticed on distros like Arch, Gentoo, etc. Personally I think gpg is not that hard to use, although some people find it confusing and even most distros like Ubuntu (back when I was using it) doesn’t provide this extra step of signature verification.
So why is this important? Well let’s say in the case of Linux Mint after it was hacked, if signature verification was there the users could see if the image came signed with a key from one of the official developers and could further inquire about it if anything looked suspicious. I don’t think it’s easy for a random attacker to forge the signature of the developers but it does provide an extra layer of security on the user side.
Anyway, I actually support the decision made by the Linux Mint community to immediately announce to it’s users of the compromise and taking appropriate measures. There are perhaps a lot of distros out there that don’t like to reveal such stuff publicly for fear of losing their image in the community. But Linux Mint developers do really care about their users so props to them for being so transparent about the whole thing.
P.S. If you’re really paranoid about your security/privacy, try doing an Arch Linux install from scratch. I know it takes a lot of time on your first run but the learning experience is totally worth it. Goodluck!