Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Aniruddha <mailing_list@xxxxxxxxx>
  • Date: Thu, 01 Nov 2007 08:48:26 +0100
  • Message-id: <1193903306.3576.92.camel@xxxxxxxxxxxx>
On Thu, 2007-11-01 at 02:44 +0100, Filip Brcic wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Дана четвртак 01 новембар 2007, Aniruddha је написао(ла):
And you don't have to trust the packager, you trust the distribution and
it's security policy. And don't forget packages passes many hands before
ending up in the stable tree. In Debian/Ubuntu it goes from Experimental
to Unstable to Testing to Stable. I can assure that when it arrives at
Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have
a very, very long testing period for new packages finally arrive in the
stable tree.

Compare this to the openSUSE buildservice where everyone can get an
account start a repo and wreck havoc because there aren't any safety
precautions.

I agree completly. Still, I would leave the build service as it is (in the
end, I can make Gentoo portage overlay if I have space on web to upload
ebuilds to, and since the size of such an overlay would be somewhere between
1 and 2 MB at the most, everybody can get that much online space). What I
would do is add some additional rules/constraints on how to add "home:*"
repositories. The rest of the repositories should be considered as something
like "experimental/unstable/~x86/..." but checked for malicious code (or at
least for malicious packagers). But home:* are completely free and unchecked
and therefore should be at least restricted from being shown by default on
the software.opensuse.org/search query tool.

Great to see someone who understands my point of view.

Since everything in the build service is free software you can always
check the source the packages are built from yourself if you wish, and
so can anyone else, which provides as much as a safeguard as possible.

This can be doen for a few packages that you manually compile, however
openSUSE relies so heavily on the buildservice for functionality that it
becomes a daunting task to check all these packages yourself.

At this moment I am downloading 180+ packages from KDE:KDE4 repository. But I
trust the KDE team and KDE:KDE4 packagers not to include malware in the
source and in the packages. But, as I said, why should I trust
the "home:darix" repository (if I don't know who darix is) or
whoever's "home:whoever" repository by default?

- --


I agree completely. For example I do trust the packman repository, but
indeed there are so many unknown anonymous packagers from it's difficult
to determine if they are genuine.


--
Regards,

Aniruddha

Please adhere to the OpenSUSE_mailing_list_netiquette
http://en.opensuse.org/OpenSUSE_mailing_list_netiquette


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
References