Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Aniruddha <mailing_list@xxxxxxxxx>
  • Date: Thu, 01 Nov 2007 10:43:17 +0100
  • Message-id: <1193910197.3576.177.camel@xxxxxxxxxxxx>
On Thu, 2007-11-01 at 09:25 +0000, Benji Weber wrote:
On 01/11/2007, Aniruddha <mailing_list@xxxxxxxxx> wrote:
Off course it it is doable (see Debian/Gentoo/FreeBSD/Ubuntu) who
support up to 22000 packages. the only question is how ;)

Partly because they have a lot of people producing the packages, and
if One were cynical One could suggest because they don't do so much
security & quality checking compared to RH/SUSE etc whose businesses
depend on it.
That would be very cynical since Debian and Gentoo have very high
security standards on whom large companies (e.g. hyves.nl) place their trust:
http://www.linux.com/feature/118799

http://www.gentoo.org/proj/en/hardened/

You are trusting the packagers from Gentoo/Ubuntu etc because they are
associated with the project, not because you know that they are in
fact doing their job properly. That is the point, you choose who you
wish to trust. The valid problems here are

1) There are not separate keys for each repository - this is on the
roadmap to be fixed by year end.
http://en.opensuse.org/Build_Service/Roadmap

2) There is no way to tie a packager's key to peer ratings/comments
etc. This will be easier to implement once the user database which
stores identity & other information about users & packages is ready.

We can make it easier to make an informed decision about who One
wishes to trust, but the choice about who to trust still has to be up
to you.

I agree 100%. These two suggestions should make it a lot easier to
determine whether a repo is trustworthy.


Making home: repositories harder to add doesn't solve any problem, and
anyone can make use of the one click install mechanism for
repositories that arn't even in the build service.

Maybe a better warning message instead of the the current 'malicious
package' package warning could improve the situation.





--
Regards,

Aniruddha

Please adhere to the OpenSUSE_mailing_list_netiquette
http://en.opensuse.org/OpenSUSE_mailing_list_netiquette


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation