On Wed, 2011-12-07 at 16:15 -0500, seth vidal wrote: > On Wed, 07 Dec 2011 15:02:42 -0500 > Przemek Klosowski <przemek.klosowski@xxxxxxxx> wrote: > > > On 12/07/2011 01:25 PM, seth vidal wrote: > > > > > If I were going to use random vm's I'd want to: > > > 1. connect using ssh > > > 2. push over my own rpm/python/etc binaries > > > 3. checksum all the rest of the installed (and running) software > > > 4. verify those checksums versus my known good set > > > 5. THEN push over the pkgs to be built > > > > I'd say we need to be paranoid on this one and consider a tainted > > kernel where your own binaries would report A-OK on a rigged gcc > > because kernel has a special case for it. Test builds and QA might be > > OK, but nothing that results in shipped bits. > > > So I have two thoughts on this: > > 1. scratch or personal chainbuilds could be built in ec2 or rax or > anywhere w/o an issue I'm not sure we can treat scratch / personal builds with *quite* so much abandon. They're still valuable targets for anyone trying to compromise Fedora, after all. Who uses scratch builds the most? Well, probably Fedora packagers, right? And we probably wind up deploying them on our own systems after we build them. That's what scratch builds are _for_ - testing your stuff before pushing it out more widely. So it occurs to me that if we have a hilariously insecure system for doing scratch builds, and someone really wants to do evil things to Fedora, it's going to make their lives a lot easier. All they have to do is compromise a provenpackager's scratch build to include some kind of trojan, then when the provenpackager installs the scratch build they just fired off, hey presto, the attacker has now effectively gained provenpackager privileges. They can just hack into the provenpackager's system using the back door they just trojaned in there and go about making their nefarious changes to Fedora just as if they were the trusted packager; they don't need to attack 'important' builds in-flight any more. Let's put it this way - if we put such a system in place I'd damn well be doing my scratch builds locally from then on. I wouldn't trust them to Joe Q. Random's VM. Yes, there are of course many other vectors an evil person could use right now to try and attack Fedora via this indirect method, but I see no pressing reason to make it any easier. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
