Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] How secure is openSUSE build service?
  • From: "Rajko M." <rmatov101@xxxxxxxxxxx>
  • Date: Sun, 4 Nov 2007 18:26:06 -0600
  • Message-id: <200711041826.06795.rmatov101@xxxxxxxxxxx>
On Sunday 04 November 2007 02:32:03 pm Dirk Stoecker wrote:
On Sun, 4 Nov 2007, Rajko M. wrote:
Scanning binaries for known problems using some antivirus/rootkit
software, before actually publishing, even in home:* repositories.

I personally do not like this idea much, because it can cause the risk
that people believe that software is "good" if the scanner does not find
anything inside.

However, any scanner what helps manually reviewing is of course very
helpfull.

The scanner solution will remove some number of possible attacks.
Though, they will not help for mentioned in this mail:
http://lists.opensuse.org/opensuse/2007-11/msg00422.html
This is out of scope of scanners, but number of people able to create it
is smaller than for known attacks.

Such a scanning system from my point of view is no public interface. This
should run in background by server administrators (either scanning
binaries or sources).

The build service users should only get to know it, when he tries nasty
things and an administrator is contacting him to tell him, that he has
been discovered (or else circumvention is no problem).

So it gets an aditional security improvement without negative side
effects. Like in "We trust you, but a bit control can't be wrong :-)".

Good point of view.
Now is the question how to discuss security issues?
Discussing security elements in public, helps normal users to feel better, but
gives information malicious users where to look for cracks in the wall.

How to tell normal users with good questions about security:
"We have some measures in place and Build Service is not a jungle where any
predator can jump in and wreck havoc, but also it is not save haven, where
you can forget to keep an eye on security."

--
Regards,
Rajko.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
References