Mailinglist Archive: opensuse-buildservice (311 mails)

< Previous Next >
Re: [opensuse-buildservice] Unique vendors per repository are a must and the current setup is a timebomb / security hole
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Thu, 26 Nov 2009 13:14:50 +0100
  • Message-id: <20091126131450.3717c2e5@xxxxxxxxxxxxxx>
Stephan Kleine wrote:
I want a way that allows me to say to get PackageX only from RepoY and
nowhere
else without switching it to some other repo just cause it happens to get
signed by the same pgp key.

The possibility of packages getting switched to another repo without
confirmation is IMHO a security hole and the hole discussion weren't
necessary
if you would just use unqiue vendors (_not_ pgp keys) per repo.

And, considering that it were still possible for repos to use the same vendor
_if choosen on purpose_ instead of by default I honestly fail to see one
single reason that makes this behavior impossible or inconvenient.

I guess the bug or missing feature you are trying to report is that
all subprojects of e.g. home:$USER have the same vendor. There's an
API call to change the GPG key of subprojects but none to change the
vendor. Furthermore you are suggesting to change the default of
having the same vendor for all subprojects to having separate
vendors for all subprojects. Correct?

I don't get the part about security though. The repo trust setting
is all or nothing. You can't only trust individual packages from a
repo. Sure vendor stickyness prevents exchanging already installed
packages but that's not really a security feature. An enabled, yet
untrusted repo could still install arbitrary packages via e.g.
Enhances tags.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >