[opensuse-buildservice] security improvement by signed build service for safe packages
Hello, what I am going to suggest has been discussed in a German Usenet security group: http://groups.google.de/g/8957ff07/t/79e56c62c480852d/d/ccbd59ad3467714f As described on this page there are several components of "trust": http://wiki.opensuse.org/openSUSE:Build_Service_Concept_Trust My suggestion is about the technical part only: Can you trust a package not to contain malicious code if you don't know the packager but trust the (cryptographically known) developer or rather the organization providing the build service? My idea is that the build service introduces a new layer of trust by establishing mechanisms which prevent malicious code from being introduced in a package. The result would be that a user could download a package from an inofficial repository and verify this package not only by the repository signature (which often has unknown security value) but also by a signature from the build service. This OBS signature would guarantee that the package has been created in a way which has been designed to avoid certain security problems. This way would be: 1) SuSE would include all public keys of developers which they use for the creation of official packages in the OBS. (That's the easy part...) 2) SuSE would include all patches and spec files which they use for official packages in the OBS. 3) SuSE would define a whitelist of compiler options. 4) The OBS would allow the repo maintainer to upload source code which has been signed by a key which is known by the OBS. 5) The OBS would allow the repo maintainer to select any components from the official package and compiler options from the whitelist. 6) The resulting package would get signed by the OBS. The user would not know how up to date the source code is but he would know that it was safe (apart from bugs by the developer). The obvious problem is that this would be usable for a certain part of the inofficial packages only. 5%, 10%, 50%? I have no idea. But I am sure that this would have to be a long term approach. Based on the non-working packages the OBS configuration options would have to be improved permanently. This need not be done by SuSE alone. If a big number of knows developers signs a requested extension as safe then it could be added without SuSE spending money for an investigation by its own security employees. On the other hand I assume that the problem would decrease by itself. Developers would probably start paying attention to writing code in a BS friendly way. At least if other distributors offer similar services someday. I assume that the rules how to make source code BS friendly would be the same for all distributions. Another positive future influence would be that the official packages would be developed with BS friendlyness in mind. Thus every new openSUSE version would enable more packages to be signed by the OBS with quite little additional effort by SuSE. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
participants (1)
-
Hauke Laging