Mailinglist Archive: opensuse-buildservice (272 mails)

< Previous Next >
Re: [opensuse-buildservice] The disconnect
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Mon, 8 Nov 2010 14:20:25 +0100
  • Message-id: <201011081420.26064.adrian@xxxxxxx>
Am Montag, 8. November 2010, 13:51:20 schrieb Robert Schweikert:

On 11/08/2010 07:23 AM, Adrian Schröter wrote:
Am Dienstag, 2. November 2010, 21:17:37 schrieb Robert Schweikert:
...
One of the gory details would be to skip packages in projects like
"bleeding-edge" during the automatic collection. But I beleive there is
already a flag for things like that already, if I recall a discussion on
this list correctly.

I just want to point out the security impliciation in doing this.

If it is known, that it is done in this way, it is horrible easy to build a
package
which would get installed in any case, if you add such a repository.

And this package can do anything with your system. Getting root access on
any system,
sending your credit card number to server X and so on.

Doing this is so horrible dangerous that I would even think that the usual
"we are
not responsible" agreements in license texts would not help you in court
anymore.
Simply because this not only careless, but actually more an already
prepared attack
to all opensuse systems. #


I guess you are saying that our devel projects are not save. So maybe we
shouldn't provide repositories for the devel projects? AFAK we do not
have an extra disclaimer w.r.t. security or other things for devel
projects. Thus your concern would apply today.

It does apply today also. You should be carefull which repo you add to your
system.

But if you simply create one big repo and copy blindly all stuff from a high
number
of projects your risk is way higher. Because even maintainers of some simple
corner
case applications (which you would never install yourself) have root access to
your
system.

bye
adrian

--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >