Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Aniruddha <mailing_list@xxxxxxxxx>
  • Date: Thu, 01 Nov 2007 01:16:34 +0100
  • Message-id: <1193876195.3576.80.camel@xxxxxxxxxxxx>
On Wed, 2007-10-31 at 23:57 +0000, Benji Weber wrote:
On 31/10/2007, Aniruddha <mailing_list@xxxxxxxxx> wrote:
In Gentoo/FreeBSD/Debian/Ubuntu/ you don't have to worry about that since
the maintainer of that package checks this for you.

You are trusting the Gentoo/FreeBSD/Debian/Ubuntu packager to do the
checks contientiously, and not insert anything malicious h(im|er)self.

Apparently in openSuSE there is no such safety precaution.

You have to trust the packager just the same. There are additional
third party repositories for the other distributions too & you have to
decide whether to trust those. SOme might argue that the core packages
that make up the openSUSE distribution be trusted more as it is the
base for SLE which has to have rigorous checks. But at the end of the
day it depends who you trust.

For Gentoo/FreeBSD/Debian/Ubuntu/ there aren't additional repositories
necessary since these distributions maintain 14000-22000 packages
themselves. openSUSE on the other hand forces you to use 3r party
repositories to get basic functionality working (see
http://opensuse-community.org/Restricted_Formats/10.3 ).

And you don't have to trust the packager, you trust the distribution and
it's security policy. And don't forget packages passes many hands before
ending up in the stable tree. In Debian/Ubuntu it goes from Experimental
to Unstable to Testing to Stable. I can assure that when it arrives at
Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have
a very, very long testing period for new packages finally arrive in the
stable tree.

Compare this to the openSUSE buildservice where everyone can get an
account start a repo and wreck havoc because there aren't any safety
precautions.



Since everything in the build service is free software you can always
check the source the packages are built from yourself if you wish, and
so can anyone else, which provides as much as a safeguard as possible.


This can be doen for a few packages that you manually compile, however
openSUSE relies so heavily on the buildservice for functionality that it
becomes a daunting task to check all these packages yourself.


--
Regards,

Aniruddha

Please adhere to the OpenSUSE_mailing_list_netiquette
http://en.opensuse.org/OpenSUSE_mailing_list_netiquette


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation