Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] How secure is openSUSE build service?
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Thu, 1 Nov 2007 09:52:56 +0100
  • Message-id: <20071101085256.GA2111@xxxxxxx>
On Wed, Oct 31, 2007 at 11:49:22PM +0100, Aniruddha wrote:
On Wed, 2007-10-31 at 22:45 +0100, Marcus Meissner wrote:
On Wed, Oct 31, 2007 at 10:28:57PM +0100, Aniruddha wrote:
I wonder what are the security policies for openSUSE? What are the
chances for malicious software (rootkits, trojans) being offered through
the build service?

You have to trust the project you add the URL for.

What is the procedure for security holes and/or exploits in software
offered in the openSUSE build repositories? I get the feeling openSUSE
is becoming just as insecure as Windows hence the warning you get when
adding repo's with 1-click install (see attachment). Or am I mistaken?
Any info would be appreciated!

The openSUSE OSS and non-OSS repositories are secured as usual and
the paranoid should only trust them.

The buildservice repos should not be considered containing secured
packages.

The security fix policy for those is also left to the responsible
maintainers.

Ciao, Marcus
---------------------------------------------------------------------

Is it just me or is this a giant step backwards? How can you trust a
project when everybody can upload files with no infrastructure to check
for malware? Even worse it is almost impossible to protect yourself
against rootkits.

Adrian has wrote some points already, but we will be changing the way
we sign stuff to have per-buildservice-project keys.

This will make this a per-project trust relation and not just a "trust
buildservice or not" relation ship.

And as I said, as long as you use the basesystem with its just 3000+
packages available and do not add additional stuff, you have the assurance
that it was done by SUSE developers ;)

Are there any future plans to set up an security infrastructure with
common rules for ensuring security?

Yes.

Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >