Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Thu, 1 Nov 2007 09:03:27 +0100
  • Message-id: <200711010903.27709.adrian@xxxxxxx>
On Thursday 01 November 2007 01:16:34 wrote Aniruddha:
On Wed, 2007-10-31 at 23:57 +0000, Benji Weber wrote:
On 31/10/2007, Aniruddha <mailing_list@xxxxxxxxx> wrote:
In Gentoo/FreeBSD/Debian/Ubuntu/ you don't have to worry about that
since the maintainer of that package checks this for you.

You are trusting the Gentoo/FreeBSD/Debian/Ubuntu packager to do the
checks contientiously, and not insert anything malicious h(im|er)self.

Apparently in openSuSE there is no such safety precaution.

You have to trust the packager just the same. There are additional
third party repositories for the other distributions too & you have to
decide whether to trust those. SOme might argue that the core packages
that make up the openSUSE distribution be trusted more as it is the
base for SLE which has to have rigorous checks. But at the end of the
day it depends who you trust.

For Gentoo/FreeBSD/Debian/Ubuntu/ there aren't additional repositories
necessary since these distributions maintain 14000-22000 packages
themselves. openSUSE on the other hand forces you to use 3r party
repositories to get basic functionality working (see
http://opensuse-community.org/Restricted_Formats/10.3 ).

And you don't have to trust the packager, you trust the distribution and
it's security policy. And don't forget packages passes many hands before
ending up in the stable tree. In Debian/Ubuntu it goes from Experimental
to Unstable to Testing to Stable. I can assure that when it arrives at
Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have
a very, very long testing period for new packages finally arrive in the
stable tree.

This not true .. You need to trust the packager is working according to the
policy, you need to trust that the packager have reviewed the new source tar
ball and you need to trust that the original authors have not build in hidden
traps.

Putting lots of packages into one large repo does not help you, as long you do
not add extra review mechanisms. Which can't be that extensive, if you
increase the number of packages.

Since the are also different requeriments (you want to be more care full on
your critical server than on your test systems) it is better to have multiple
repositories with different requirements for the trust and let the user
decide.

Compare this to the openSUSE buildservice where everyone can get an
account start a repo and wreck havoc because there aren't any safety
precautions.

Right, but only stuff in home:* can get added by them. So you are already one
step more secure when you do not use these repos.

Since everything in the build service is free software you can always
check the source the packages are built from yourself if you wish, and
so can anyone else, which provides as much as a safeguard as possible.

This can be doen for a few packages that you manually compile, however
openSUSE relies so heavily on the buildservice for functionality that it
becomes a daunting task to check all these packages yourself.

All packages checked into the main distro get a review. This is also the
reaons why it takes sometime until a new version appears there.

What is indeed missing is a peer review and rating system to help the users to
decide which repos to trust or not...

I personally consider this approach more secure than a one large repo where
everybody gets easily an account no one is really doing source reviews of new
submitted tar balls. One the other hand, our modell still allows that new
packagers can start immediatly and make their stuff available. It is up to
the user to install it or not. (and keep in mind that downloading the source
and install yourself is maybe even more unsecure, because there is not even a
packager review).

bye
adrian

--

Adrian Schroeter
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
email: adrian@xxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups
References