Mailinglist Archive: opensuse-buildservice (311 mails)

< Previous Next >
Re: [opensuse-buildservice] Unique vendors per repository are a must and the current setup is a timebomb / security hole
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Thu, 26 Nov 2009 05:50:09 +0100
  • Message-id: <200911260550.09724.adrian@xxxxxxx>
Am Donnerstag, 26. November 2009 03:53:32 schrieb Stephan Kleine:
Hi folks.

In https://bugzilla.novell.com/show_bug.cgi?id=503276 Michael asked me to
take my issue to the mailing list so I'm gonna present my case here:

My problem is that currently a repositories' "vendor" apparently is bound
to its pgp key which IMHO is a timebomb cause of zypp's "vendor
stickiness" cause it does currently consider every repository that gets
signed with the same key as the same "vendor".

This is not true, because the upper level project owner has setup it in this
way and he has anyway access rights to all others below. So this represents
the real access rights.
And when this person (group) decides that further people get write access to
some packages or projects below, it is his decision.

Now consider the following usecase:

1. There are repos A:Foo and A:Bar.
2. Since A:Foo & A:Bar use the same pgp key they also use the same vendor.
3. A:Foo contains Package1 and unstable svn snapshots of Package2
4. A:Bar contains Package2 and unstable svn snapshots of Package1

Now I want to install Package1 from A:Foo and Package2 from A:Bar and I
don't want to install their respective svn copies.

So I have to specify for every package which repository to use but this
wont work cause both use the same vendor cause they use the same pgp key.

It was suggested to use repository priorities but this doesn't work either
in that case because the stable / unstable (svn) stuff is in the other
repo.

That theoretical setting aside it also makes using OBS with zypp kinda
russian roulette cause there's no way to foresee when someone will publish
a newer binary in some sub repository (that uses the same vendor cause it
gets signed by the same pgp key) and then gets me updated to that newer
version in a different repo _which I do not want_!

So this also introduces a pretty severe security hole IMHO.

No, it was decided by the project owners to setup it in this way. You may not
like it, but this not a security whole. You need anyway to trust the people
when you add the repo.

And we want to allow that eG. all projects below home:adrianSuSE have the same
key. The gpg key is representing the trust level and this is there always the
same, because it is done by the same person.

Vendor is following the gpg key by default, but can be changed in case, if you
want to overwrite it as project owner.

IOW: I consider it absolutely mandatory to be able to say I want to get
PackageX _only_ from RepositoryY and _nowhere_ else which currently is
_not_ possible.

No, this is only wanted in one usecase. And the project owners are free to set
it up in this way.

But there definitive use cases, as described where we do not want this.

Other thoughts:

1. I agree that using the same pgp key to sign different (sub)repositories
makes sense cause the "trustlevel" is the same.

2. I totally disagree that linking the signing pgp key to the repositories
vendor is a good idea cause the trustlevel (pgp key) simply is a different
thing than the state of the repo from which I would like to get a certain
package.

3. Manually setting the vendor in the prjconf is no option cause I'm not
able to do that on the public OBS and there are far too many repos to
write everyone an email and to ask him / her to set an unique vendor.

You are able to do it, when you have write access to project. It is just
editing the project config.

Proposed solution:

1. Feel free to use the same key to sign different (sub)repositories (as it
is now) if the "trustlevel" is the same.

2. Use _unique_ vendors per repository so one is able to say "I want
PackageX only from RepositoryY and nowhere else." which is currently _not_
possible.

Vendor is saying "who" is publishing something. So it makes absolut no sense
to have different vendors below home:adrianSuSE, because it is always me. (at
least by default).

Possible Implementation:

1. Use the pgp keys as you use them currently.
2. Assign an _unique_ vendor to every existing repository and generate
unique vendors for all new repos.

Final conclusion:

1. I consider being able to say "I want PackageX only from RepositoryY and
nowhere else." absolutely mandatory but this is currently _not_ possible
with zypp.

2. This could easily be changed by using unique vendors per repository on
OBS.

3. I honestly fail to see why you argue soo much against using unique
vendors per repository.

So please either tell me a solution that solves the above described
usecases or change the public OBS configuration so unique vendors per
repository are used.

Your very special use case is to have multiple repos added with alternative
packages added, but you want to keep older packages in some cases from some
repos in some case.

So, you want manual mix package versions and override package manage
decisions. I can currently not imagine how this can be a valid usecase.

bye
adrian

--

Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References