P2P Packaging/Koji Cloud

夜神 岩男 supergiantpotato at yahoo.co.jp
Wed Dec 7 19:34:57 UTC 2011 

An idea just struck me that may work.

If the system is made light enough that it is utterly painless for 
anyone to contribute processing time then cross-checking of hashes could 
be made statistically secure, save for a widespread compromise of the 
entire Fedora userbase.

For example, if I just "yum install skyline"[1] and then set "chkconfig 
skyline on" or whatever the systemd equivalent is (sorry, haven't kept 
up lately) and my system just started pulling packages to build/rebuild 
constantly in the background with a priority level low enough I'd never 
notice it, then overnight Fedora as a project would have FAR more build 
time than it needs.

So how is this secure?

Each time a build is made, the building system makes a hash of the set 
of RPMs in $wherever/mock/result/{foo,bar} and sends the completed data 
back to the Fedora build system.

Now the Fedora build system checks the hash to make sure it is correct. 
Of course it is, because we've only got one sample.

But then we collect the other builds of the same RPM from, say, 10 other 
random systems and compare their hashes to what was received from the 
initial build system.

A has that doesn't match whatever arises as the common hash is either an 
error (likely considering the amount of transmission involved) or 
poisoned. These will stick out like a sore thumb amongst the forest of 
correct builds.

So how would I compromise this system? I would have to poison every 
single SRPM departing the Fedora build infrastructure. Hard, maybe, but 
possible.

How do we prevent that? Use SSL to transfer the packages in the first 
place, and now that avenue is not available in the time allotted for the 
attack to proceed.

This system depends chiefly on one thing: Having a boatload of 
contributors. I think we could easily expect 1,000+ active contributors, 
particularly if we make this a happy competition complete with a stats 
tracker the way the BOINC and SETI at Home trackers work. People who send 
more than 1 bad hash could be notified by their system that things 
aren't working out which could be an early warning in identifying 
whether the system is indeed being attacked (or the individual's system 
has been compromised). A throttle based on such indicators could let us 
know to halt the distributed build and switch back to "old koji".

Just some ideas.

1. Sorry, silly package name idea from the image of city construction 
"koji" + "cloud"

More information about the devel mailing list