Re: RPM security (a newbie question)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rahul Sundaram wrote:
> Todd Zullinger wrote:
>> While the review guidelines do make sure that the source code
>> matches upstream¹, that doesn't ensure that upstream doesn't have
>> backdoors, holes, malicious content, etc.
>
> That's a totally different question IMO.

No doubt.  I was only mentioning this because I _think_ it is what
Stanisław was getting at.

> We at the distribution level can only check whether there is a
> packaging level attempt at introducing a security hole. Doing a
> complete security audit of all the code that is being included is
> not feasible at all at the distribution level. This btw, has nothing
> to do with RPM or any other packaging method. All distributions work
> on the principle that upstream projects are responsible at the code
> level for their own security. We can add things like compiler
> options and firewalls but that doesn't prevent a upstream security
> hole from being exploited, whether introduced accidentally or not.

I fully agree. :)

And, of course, on top of compiler options and firewalls, SELinux is
one more layer that is added to protect against problems in upstream
code.  If upstream code has some hole that tries to mail off
/etc/passwd somewhere, this is very likely to be denied by SELinux.
And when someone reports the denial, Dan, Miroslav, and the other
SELinux maintainers aren't too likely to allow it without asking what
good reason the upstream code would have to take such an action.

But as you say, it's not possible for any distro to find and fix every
security hole, just as it's not possible to find and fix every bug.
More help is always welcome.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I always keep a supply of stimulant handy in case I see a snake -
which I also keep handy.
    -- W. C. Fields

Attachment: pgpywfBk9Wwxz.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux