Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] How secure is openSUSE build service?
  • From: Dirk Stoecker <opensuse@xxxxxxxxxxxx>
  • Date: Sun, 4 Nov 2007 21:32:03 +0100 (CET)
  • Message-id: <alpine.LNX.0.9999.0711042128120.3286@xxxxxxxxxxxxxxxxx>
On Sun, 4 Nov 2007, Rajko M. wrote:

Scanning binaries for known problems using some antivirus/rootkit
software, before actually publishing, even in home:* repositories.

I personally do not like this idea much, because it can cause the risk that
people believe that software is "good" if the scanner does not find
anything inside.

However, any scanner what helps manually reviewing is of course very
helpfull.

The scanner solution will remove some number of possible attacks.
Though, they will not help for mentioned in this mail:
http://lists.opensuse.org/opensuse/2007-11/msg00422.html
This is out of scope of scanners, but number of people able to create it is
smaller than for known attacks.

Such a scanning system from my point of view is no public interface. This should run in background by server administrators (either scanning binaries or sources).

The build service users should only get to know it, when he tries nasty things and an administrator is contacting him to tell him, that he has been discovered (or else circumvention is no problem).

So it gets an aditional security improvement without negative side effects. Like in "We trust you, but a bit control can't be wrong :-)".

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups