Re: P2P Packaging/Koji Cloud

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 07 Dec 2011 13:25:28 -0800
Adam Williamson <awilliam@xxxxxxxxxx> wrote:

> I'm not sure we can treat scratch / personal builds with *quite* so
> much abandon. They're still valuable targets for anyone trying to
> compromise Fedora, after all.

I don't think you understand - we need to be able to reliably reproduce
them- sure - but we cannot count on them anymore than we do now. Ie:
someone sends an arbitrary pkg with arbitrary repos to supply its
buildreqs - we cannot trust the pkg at all.

That's ALWAYS true.

but we definitely cannot allow the above to build on our existing build
boxes.

 
> Who uses scratch builds the most? Well, probably Fedora packagers,
> right? And we probably wind up deploying them on our own systems after
> we build them. That's what scratch builds are _for_ - testing your
> stuff before pushing it out more widely.

And again - if you are testing your own pkgs - you'll be fine - there's
no insecurity there.

You trust you.

and the trust of the images you're building from is up to which cloud
service provider you have a contractual relationship with.


> 
> So it occurs to me that if we have a hilariously insecure system for
> doing scratch builds, and someone really wants to do evil things to
> Fedora, it's going to make their lives a lot easier.

I don't think you understand where the insecurity is in the system.


> All they have to
> do is compromise a provenpackager's scratch build to include some
> kind of trojan, then when the provenpackager installs the scratch
> build they just fired off, hey presto, the attacker has now
> effectively gained provenpackager privileges. They can just hack into
> the provenpackager's system using the back door they just trojaned in
> there and go about making their nefarious changes to Fedora just as
> if they were the trusted packager; they don't need to attack
> 'important' builds in-flight any more.
> 
> Let's put it this way - if we put such a system in place I'd damn well
> be doing my scratch builds locally from then on. I wouldn't trust them
> to Joe Q. Random's VM.

No one has EVER seriously considered a random person's VM.

ever.

but I do think a vm you create at ec2 or rax or wherever is just fine.

b/c YOU create it with a known good/trusted img as the base.


do you understand now?


-sv
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux