Mailinglist Archive: opensuse-buildservice (311 mails)

< Previous Next >
[opensuse-buildservice] Unique vendors per repository are a must and the current setup is a timebomb / security hole
  • From: Stephan Kleine <bitdealer@xxxxxxxxx>
  • Date: Thu, 26 Nov 2009 03:53:32 +0100
  • Message-id: <200911260353.32457.bitdealer@xxxxxxxxx>
Hi folks.

In Michael asked me to take
my issue to the mailing list so I'm gonna present my case here:

My problem is that currently a repositories' "vendor" apparently is bound to
its pgp key which IMHO is a timebomb cause of zypp's "vendor stickiness" cause
it does currently consider every repository that gets signed with the same key
as the same "vendor".

Now consider the following usecase:

1. There are repos A:Foo and A:Bar.
2. Since A:Foo & A:Bar use the same pgp key they also use the same vendor.
3. A:Foo contains Package1 and unstable svn snapshots of Package2
4. A:Bar contains Package2 and unstable svn snapshots of Package1

Now I want to install Package1 from A:Foo and Package2 from A:Bar and I don't
want to install their respective svn copies.

So I have to specify for every package which repository to use but this wont
work cause both use the same vendor cause they use the same pgp key.

It was suggested to use repository priorities but this doesn't work either in
that case because the stable / unstable (svn) stuff is in the other repo.

That theoretical setting aside it also makes using OBS with zypp kinda russian
roulette cause there's no way to foresee when someone will publish a newer
binary in some sub repository (that uses the same vendor cause it gets signed
by the same pgp key) and then gets me updated to that newer version in a
different repo _which I do not want_!

So this also introduces a pretty severe security hole IMHO.

IOW: I consider it absolutely mandatory to be able to say I want to get
PackageX _only_ from RepositoryY and _nowhere_ else which currently is _not_

Other thoughts:

1. I agree that using the same pgp key to sign different (sub)repositories
makes sense cause the "trustlevel" is the same.

2. I totally disagree that linking the signing pgp key to the repositories
vendor is a good idea cause the trustlevel (pgp key) simply is a different
thing than the state of the repo from which I would like to get a certain

3. Manually setting the vendor in the prjconf is no option cause I'm not able
to do that on the public OBS and there are far too many repos to write
everyone an email and to ask him / her to set an unique vendor.

Proposed solution:

1. Feel free to use the same key to sign different (sub)repositories (as it is
now) if the "trustlevel" is the same.

2. Use _unique_ vendors per repository so one is able to say "I want PackageX
only from RepositoryY and nowhere else." which is currently _not_ possible.

Possible Implementation:

1. Use the pgp keys as you use them currently.
2. Assign an _unique_ vendor to every existing repository and generate unique
vendors for all new repos.

Final conclusion:

1. I consider being able to say "I want PackageX only from RepositoryY and
nowhere else." absolutely mandatory but this is currently _not_ possible with

2. This could easily be changed by using unique vendors per repository on OBS.

3. I honestly fail to see why you argue soo much against using unique vendors
per repository.

So please either tell me a solution that solves the above described usecases
or change the public OBS configuration so unique vendors per repository are

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups