Re: hosted reproducible package building with multiple developers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2010 01:03 PM, James Ralston wrote:
> Riddle me this.
> 
> We want to provide a server for developers within our organization to
> build RPM packages for use within our organization.
> 
> These are our requirements:
> 
>     1.  The developers must not be able to leverage the package build
>         process to obtain root access on the server.
> 
>     2.  If a package has a build dependency that is not explicitly
>         specified, the build must fail.
> 
>     3.  If two developers are building packages simultaneously, their
>         builds must not conflict.
> 
> The only way satisfy requirements #2 and #3 is to use a chroot'ed
> build environment.
> 
> mock(1) uses a chroot'ed build environment, but mock fails requirement
> #1, as anyone in the "mock" group can trivially root the box.
> 
> I think that koji would satisfy all three requirements, because koji
> uses mock to build, but doesn't allow developers to interface with
> mock directly.  But setting up a koji infrastructure seems like a
> highly non-trivial task.
> 
> Is there really no way to meet all three of these requirements without
> going the full-blown koji route?
> 

We have been slowly looking into an SELinux solution for this.  Just
using koji/mock is still dangerous, since the environment is running as
root and the rpm could contain stuff to attack the system.  (Break out
of the choot, attack other mock systems.  Attack the network etc.)

To make this secure, you really need a sandboxed mock.  Where the mock
environment runs with a context of mock_t and is isolated from other
mock environments using MCS separation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0CMFAACgkQrlYvE4MpobMJXACfawU8kCL9/eWIJgk46Rrka2FZ
uGEAoOFLc8aDDLGGV0ldPI3cDNP79SqS
=ZCfg
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux