On Wed, 2007-10-31 at 23:49 +0100, Aniruddha wrote:
On Wed, 2007-10-31 at 22:45 +0100, Marcus Meissner wrote:
On Wed, Oct 31, 2007 at 10:28:57PM +0100, Aniruddha wrote:
I wonder what are the security policies for openSUSE? What are the chances for malicious software (rootkits, trojans) being offered through the build service?
You have to trust the project you add the URL for.
What is the procedure for security holes and/or exploits in software offered in the openSUSE build repositories? I get the feeling openSUSE is becoming just as insecure as Windows hence the warning you get when adding repo's with 1-click install (see attachment). Or am I mistaken? Any info would be appreciated!
The openSUSE OSS and non-OSS repositories are secured as usual and the paranoid should only trust them.
The buildservice repos should not be considered containing secured packages.
The security fix policy for those is also left to the responsible maintainers.
Is it just me or is this a giant step backwards? How can you trust a project when everybody can upload files with no infrastructure to check for malware? Even worse it is almost impossible to protect yourself against rootkits.
Are there any future plans to set up an security infrastructure with common rules for ensuring security?
Thinking of the average joe, openSUSE makes it so easy (with 1-Click install), that it is impossible for them to tell whether it's safe to add an repository or not. I can't even tell. On which factors should they decide?