coapp-developers team mailing list archive

Thread
Date

Re: Bundling x64 and x86 binaries in the same library package?

To: Olaf van der Spek <olafvdspek@xxxxxxxxx>
From: Garrett Serack <garretts@xxxxxxxxxxxxx>
Date: Fri, 16 Apr 2010 17:23:18 +0000
Accept-language: en-US
Cc: "coapp-developers@xxxxxxxxxxxxxxxxxxx" <coapp-developers@xxxxxxxxxxxxxxxxxxx>
Thread-index: AcrdiYGdmMIA/cKdSvaVyJ/ohbXLdg==
Thread-topic: [Coapp-developers] Bundling x64 and x86 binaries in the same library package?

>> Suppose it contains a trojan. 
Very very very very difficult to pull off with signed binaries, and no exes with a shared library package.

You're talking about the publisher screwing up and builds a compromised library and signing it. Well, that indeed is what a killbit system is for.

I find that scenario extremely unlikely.

>> So you don't just depend on a library, you depend on a library published by a specific publisher?
You are correct sir.  See this weeks blog posts on WinSxS and Code Signing (http://bit.ly/afiIjg and http://bit.ly/9butoS )

>> But as a user on a system I can't get WU to install a binary I feed it, can I?

Good question. I'm not sure if WU packages can be manually kicked off. I will investigate.

G


Garrett Serack | Open Source Software Developer | Microsoft Corporation 
I don't make the software you use; I make the software you use better on Windows.


-----Original Message-----
From: Olaf van der Spek [mailto:olafvdspek@xxxxxxxxx] 
Sent: Friday, April 16, 2010 10:15 AM
To: Garrett Serack
Cc: coapp-developers@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Coapp-developers] Bundling x64 and x86 binaries in the same library package?

On Fri, Apr 16, 2010 at 7:08 PM, Garrett Serack <garretts@xxxxxxxxxxxxx> wrote:
> What specifically do you mean by compromised?

Suppose it contains a trojan.

> If you mean that a package is published and someone is trying to pass it off as someone else's package, well that's why we have a requirement for a publisher to digitally signing the code.  If they lose control of their signing keys, we laugh and all code published with their cert after the loss of control can be killed by revoking the certificate, and/or implement a killbit system (since we can identify WinSxS libraries uniquely).

So you don't just depend on a library, you depend on a library published by a specific publisher?

> Actually, we should probably build a killbit system regardless, as it can assist in the defective case too.
>
> And, yes WU can install drivers and code from third parties; which is why they require any binaries passing thru WU to be signed and run thru a bunch of validation tools.

But as a user on a system I can't get WU to install a binary I feed it, can I?

Olaf