Mailinglist Archive: opensuse-buildservice (306 mails)

< Previous Next >
[opensuse-buildservice] security improvement by signed build service for safe packages
  • From: Hauke Laging <mailinglisten@xxxxxxxxxxxxxxx>
  • Date: Tue, 8 Jun 2010 18:43:59 +0200
  • Message-id: <201006081844.07551.mailinglisten@xxxxxxxxxxxxxxx>
Hello,

what I am going to suggest has been discussed in a German Usenet security
group:
http://groups.google.de/g/8957ff07/t/79e56c62c480852d/d/ccbd59ad3467714f

As described on this page there are several components of "trust":
http://wiki.opensuse.org/openSUSE:Build_Service_Concept_Trust

My suggestion is about the technical part only: Can you trust a package not to
contain malicious code if you don't know the packager but trust the
(cryptographically known) developer or rather the organization providing the
build service?

My idea is that the build service introduces a new layer of trust by
establishing mechanisms which prevent malicious code from being introduced in
a package. The result would be that a user could download a package from an
inofficial repository and verify this package not only by the repository
signature (which often has unknown security value) but also by a signature
from the build service. This OBS signature would guarantee that the package
has been created in a way which has been designed to avoid certain security
problems.

This way would be:

1) SuSE would include all public keys of developers which they use for the
creation of official packages in the OBS. (That's the easy part...)

2) SuSE would include all patches and spec files which they use for official
packages in the OBS.

3) SuSE would define a whitelist of compiler options.

4) The OBS would allow the repo maintainer to upload source code which has
been signed by a key which is known by the OBS.

5) The OBS would allow the repo maintainer to select any components from the
official package and compiler options from the whitelist.

6) The resulting package would get signed by the OBS.

The user would not know how up to date the source code is but he would know
that it was safe (apart from bugs by the developer).


The obvious problem is that this would be usable for a certain part of the
inofficial packages only. 5%, 10%, 50%? I have no idea. But I am sure that
this would have to be a long term approach. Based on the non-working packages
the OBS configuration options would have to be improved permanently. This need
not be done by SuSE alone. If a big number of knows developers signs a
requested extension as safe then it could be added without SuSE spending money
for an investigation by its own security employees.


On the other hand I assume that the problem would decrease by itself.
Developers would probably start paying attention to writing code in a BS
friendly way. At least if other distributors offer similar services someday. I
assume that the rules how to make source code BS friendly would be the same
for all distributions.


Another positive future influence would be that the official packages would be
developed with BS friendlyness in mind. Thus every new openSUSE version would
enable more packages to be signed by the OBS with quite little additional
effort by SuSE.


CU

Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
< Previous Next >
This Thread
  • No further messages