P2P Packaging/Koji Cloud

seth vidal skvidal at fedoraproject.org
Wed Dec 7 23:12:18 UTC 2011 

On Wed, 07 Dec 2011 13:25:28 -0800
Adam Williamson <awilliam at redhat.com> wrote:

> I'm not sure we can treat scratch / personal builds with *quite* so
> much abandon. They're still valuable targets for anyone trying to
> compromise Fedora, after all.

I don't think you understand - we need to be able to reliably reproduce
them- sure - but we cannot count on them anymore than we do now. Ie:
someone sends an arbitrary pkg with arbitrary repos to supply its
buildreqs - we cannot trust the pkg at all.

That's ALWAYS true.

but we definitely cannot allow the above to build on our existing build
boxes.

 
> Who uses scratch builds the most? Well, probably Fedora packagers,
> right? And we probably wind up deploying them on our own systems after
> we build them. That's what scratch builds are _for_ - testing your
> stuff before pushing it out more widely.

And again - if you are testing your own pkgs - you'll be fine - there's
no insecurity there.

You trust you.

and the trust of the images you're building from is up to which cloud
service provider you have a contractual relationship with.


> 
> So it occurs to me that if we have a hilariously insecure system for
> doing scratch builds, and someone really wants to do evil things to
> Fedora, it's going to make their lives a lot easier.

I don't think you understand where the insecurity is in the system.


> All they have to
> do is compromise a provenpackager's scratch build to include some
> kind of trojan, then when the provenpackager installs the scratch
> build they just fired off, hey presto, the attacker has now
> effectively gained provenpackager privileges. They can just hack into
> the provenpackager's system using the back door they just trojaned in
> there and go about making their nefarious changes to Fedora just as
> if they were the trusted packager; they don't need to attack
> 'important' builds in-flight any more.
> 
> Let's put it this way - if we put such a system in place I'd damn well
> be doing my scratch builds locally from then on. I wouldn't trust them
> to Joe Q. Random's VM.

No one has EVER seriously considered a random person's VM.

ever.

but I do think a vm you create at ec2 or rax or wherever is just fine.

b/c YOU create it with a known good/trusted img as the base.


do you understand now?


-sv

More information about the devel mailing list