On Thu, 2007-11-01 at 09:03 +0100, Adrian Schröter wrote:
And you don't have to trust the packager, you trust the distribution and it's security policy. And don't forget packages passes many hands before ending up in the stable tree. In Debian/Ubuntu it goes from Experimental to Unstable to Testing to Stable. I can assure that when it arrives at Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have a very, very long testing period for new packages finally arrive in the stable tree.
This not true .. You need to trust the packager is working according to the policy, you need to trust that the packager have reviewed the new source tar ball and you need to trust that the original authors have not build in hidden traps.
Good point I agree with you there. Although I consider chances that this will happen rather slim.
Putting lots of packages into one large repo does not help you, as long you do not add extra review mechanisms. Which can't be that extensive, if you increase the number of packages.
Since the are also different requeriments (you want to be more care full on your critical server than on your test systems) it is better to have multiple repositories with different requirements for the trust and let the user decide.
I am not sure I am getting your point.
Compare this to the openSUSE buildservice where everyone can get an account start a repo and wreck havoc because there aren't any safety precautions.
Right, but only stuff in home:* can get added by them. So you are already one step more secure when you do not use these repos.
Thank you. This is a very valuable lessen. What would be the best way to communicate this to the user? And does this mean that the non home:* are checked by openSUSE devs? Does this also include security fixes?
Since everything in the build service is free software you can always check the source the packages are built from yourself if you wish, and so can anyone else, which provides as much as a safeguard as possible.
This can be doen for a few packages that you manually compile, however openSUSE relies so heavily on the buildservice for functionality that it becomes a daunting task to check all these packages yourself.
All packages checked into the main distro get a review. This is also the reaons why it takes sometime until a new version appears there.
I think it would be best to enlarge the packages that belong in the main distro. Since openSUSE became open source this really should be possible (one team focus on packaging another one putting the packages together for a new distro).
What is indeed missing is a peer review and rating system to help the users to decide which repos to trust or not...
Does this have any chance to be implemented? I missed it on the roadmap ;)
I personally consider this approach more secure than a one large repo where everybody gets easily an account no one is really doing source reviews of new submitted tar balls. One the other hand, our modell still allows that new packagers can start immediatly and make their stuff available. It is up to the user to install it or not. (and keep in mind that downloading the source and install yourself is maybe even more unsecure, because there is not even a packager review).
You're right about that. I do think that some improvements we can greatly improve the security of the build service:
-Make it more difficult to add home:* repositories -Add some kind of review and comments section to value to repositories.
How should we proceed to make this happen?
Thanks for addressing al my questions and for your constructive answers.
-