Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Filip Brcic <brcha@xxxxxxx>
  • Date: Thu, 1 Nov 2007 02:44:07 +0100
  • Message-id: <200711010244.13944.brcha@xxxxxxx>
Hash: SHA1

Дана четвртак 01 новембар 2007, Aniruddha је написао(ла):
And you don't have to trust the packager, you trust the distribution and
it's security policy. And don't forget packages passes many hands before
ending up in the stable tree. In Debian/Ubuntu it goes from Experimental
to Unstable to Testing to Stable. I can assure that when it arrives at
Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have
a very, very long testing period for new packages finally arrive in the
stable tree.

Compare this to the openSUSE buildservice where everyone can get an
account start a repo and wreck havoc because there aren't any safety

I agree completly. Still, I would leave the build service as it is (in the
end, I can make Gentoo portage overlay if I have space on web to upload
ebuilds to, and since the size of such an overlay would be somewhere between
1 and 2 MB at the most, everybody can get that much online space). What I
would do is add some additional rules/constraints on how to add "home:*"
repositories. The rest of the repositories should be considered as something
like "experimental/unstable/~x86/..." but checked for malicious code (or at
least for malicious packagers). But home:* are completely free and unchecked
and therefore should be at least restricted from being shown by default on
the query tool.

Since everything in the build service is free software you can always
check the source the packages are built from yourself if you wish, and
so can anyone else, which provides as much as a safeguard as possible.

This can be doen for a few packages that you manually compile, however
openSUSE relies so heavily on the buildservice for functionality that it
becomes a daunting task to check all these packages yourself.

At this moment I am downloading 180+ packages from KDE:KDE4 repository. But I
trust the KDE team and KDE:KDE4 packagers not to include malware in the
source and in the packages. But, as I said, why should I trust
the "home:darix" repository (if I don't know who darix is) or
whoever's "home:whoever" repository by default?

- --
Filip Brcic <brcha@xxxxxxx>
Jabber: brcha@xxxxxxxxxxx
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups