P2P Packaging/Koji Cloud

Adam Williamson awilliam at redhat.com
Wed Dec 7 21:25:28 UTC 2011

On Wed, 2011-12-07 at 16:15 -0500, seth vidal wrote:
> On Wed, 07 Dec 2011 15:02:42 -0500
> Przemek Klosowski <przemek.klosowski at nist.gov> wrote:
> > On 12/07/2011 01:25 PM, seth vidal wrote:
> > 
> > > If I were going to use random vm's I'd want to:
> > > 1. connect using ssh
> > > 2. push over my own rpm/python/etc binaries
> > > 3. checksum all the rest of the installed (and running) software
> > > 4. verify those checksums versus my known good set
> > > 5. THEN push over the pkgs to be built
> > 
> > I'd say we need to be paranoid on this one and consider a tainted
> > kernel where your own binaries would report A-OK on a rigged gcc
> > because kernel has a special case for it. Test builds and QA might be
> > OK, but nothing that results in shipped bits.
> So I have two thoughts on this:
> 1. scratch or personal chainbuilds could be built in ec2 or rax or
> anywhere w/o an issue

I'm not sure we can treat scratch / personal builds with *quite* so much
abandon. They're still valuable targets for anyone trying to compromise
Fedora, after all.

Who uses scratch builds the most? Well, probably Fedora packagers,
right? And we probably wind up deploying them on our own systems after
we build them. That's what scratch builds are _for_ - testing your stuff
before pushing it out more widely.

So it occurs to me that if we have a hilariously insecure system for
doing scratch builds, and someone really wants to do evil things to
Fedora, it's going to make their lives a lot easier. All they have to do
is compromise a provenpackager's scratch build to include some kind of
trojan, then when the provenpackager installs the scratch build they
just fired off, hey presto, the attacker has now effectively gained
provenpackager privileges. They can just hack into the provenpackager's
system using the back door they just trojaned in there and go about
making their nefarious changes to Fedora just as if they were the
trusted packager; they don't need to attack 'important' builds in-flight
any more.

Let's put it this way - if we put such a system in place I'd damn well
be doing my scratch builds locally from then on. I wouldn't trust them
to Joe Q. Random's VM.

Yes, there are of course many other vectors an evil person could use
right now to try and attack Fedora via this indirect method, but I see
no pressing reason to make it any easier.
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora

More information about the devel mailing list