Insecure updates are the rule, not the exception
The Update Framework
As with most things in open source, you don't have to reinvent the wheel. The Update Framework (TUF)  is available under an open source license (but not one I recognize) and is written mostly in Python, so it's pretty understandable. Even better is that all the above security issues have been taken into account for the system design and implementation. It even addresses possible problems like key compromise.
One basic thing to keep in mind about security, especially for software updates, is that you need to make your system as secure as you can, but you also need to make it possible to return to a known good state (i.e., you have removed all the compromised packages and so on from your update infrastructure).
TUF places all of the heavy lifting on the server and end client. Thus, the intermediary mirror systems don't even need to know about it, which in turn makes deployment possible (trying to get a major mirror site to install some software so they can securely serve updates is a battle you will lose). Unfortunately, TUF isn't perfect – the only client is written in Python, so integrating it with non-Python software or on systems that don't natively support Python (e.g., Windows) will be difficult, to say the least. For more information, an excellent lightning talk is available on YouTube  that covers all the basics of TUF using PyPI.
You can certainly use TUF to secure updates, but, unfortunately, deploying TUF is nontrivial. You're going to need at least two servers (in case one fails) and some keys that will require management. That means it's probably not going to be used; in fact, I'm not aware of any software that uses TUF for updates. So, unless people start demanding that organizations and vendors, like WordPress, Drupal, Joomla, RubyGems, PyPI, Hackage, CPAN, and so on, start providing secure updates for all the code they make available, it isn't going to happen.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- HTP Zine 5: http://straylig.ht/zines/HTP5/0x02_Linode.txt
- Social Media Widget remote file inclusion: http://seclists.org/oss-sec/2013/q2/83
- OpenPGP Card: http://en.wikipedia.org/wiki/OpenPGP_card
- Kernel Concepts Security/Smartcards: http://shop.kernelconcepts.de/index.php?cPath=1_26
- The Update Framework: https://www.updateframework.com/
- TUF lightning talk: https://www.youtube.com/watch?v=2sx1lS6cT3g
Buy this article as PDF
Innovative system adds a hard drive and Ubuntu Core to the RPi for an IoT hub.
Linux is two weeks younger than we thought!
The Apache Software Foundation considers retiring OpenOffice
Adobe won’t kill the plugin in 2017
Linux Foundation's big event celebrates the 25th anniversary of Linux
Competitors get in the game with RHEL without Red Hat
Security researchers have already notified Microsoft; some fixes are available
The company is collaborating with Google and Intel to use Kubernetes as an engine for Fuel