Security review of Entware

[transmuting]

I'm about to install Entware (again), but I'm kind of paranoid these days. There seems to be a handful of people in charge of the Entware-repositories. And I don't have the technical skills to review the compiled binaries (if that is even possible) or monitor traffic to suspicious IPs. Like what if one developer with access to Entware-repos injects malware/spyware in legitimate looking binaries, like nginx, bash, etc? Then all those thousands of routers using Entware could (silently) be infected.

So snb-experts: Please tell me there is nothing to worry about. And give me some good reasons to trust Entware.

 

[dave14305]

Like most things these days, we trade security for convenience. It might be more secure for you to audit the source code and compile your own binaries for the various packages that are also available via entware. But that is not fun for the average user like us, and beyond my pay grade.

I like to believe that people much smarter than myself would notice a nefarious issue long before I ever could, and would sound the alarm bells.

I have entware installed, but only for the sake of certain utilities that I run on demand (e.g. dig, drill, htop, lsof, etc.). Nothing that is daemonized and running 24x7. But my needs are simple.

 

[martinr]

The same thought crosses my mind most of the time, when, for example, I download something like Kaspersky’s virus scan, which I uninstall after use, or use Putty (even though it’s open source), or use XShell, which was indeed so infected with malware in the summer of 2017. And occasionally whilst Windows 10 is booting up - I wonder how many zero-day exploits are waiting to be patched. No longer can you download free software, whilst thinking what a nice, altruistic fellow the developer must be.

I’m not knocking your question: I think you’re dead right to question things, though, the only way really not to trust the evil is to turn your back on cyberspace,

 

[RMerlin]

The honest answer: there's no way to be sure unless you download the source code, review the entire source code, and then compile it yourself. This is however not practical for obvious reasons (and we all run tons of closed source software in all of our devices).

How likely is it to be the case? Unlikely I would say. I've had dealings with two of the contributors to Entware over the past years, and I trust both of them. One of them is in fact the only person I trust outside of myself to have write access to my firmware's Git repo (@themiron).

There's always a chance of their repo being compromised by a third party, as I don't think they use any form of software signing. How likely is it to happen? Again, very unlikely. Hackers would rather go for where they have the largest return on their investment, which means infecting Windows desktops rather than a handful of enthusiast routers.

So bottom line: personally I trust Entware enough to use it on my routers (tho I mostly use it for debugging tools like tcpdump or strace).

It might be worth perhaps checking with them if some form of package signing (PGP or other) could be implemented to reduce the chances of hijacking by a malicious third party.