Software Management call for RFEs

Adam Williamson awilliam at redhat.com
Fri May 24 17:11:02 UTC 2013 

On Thu, 2013-05-23 at 18:29 +0300, Panu Matilainen wrote:

> Rpm >= 4.10 can automatically download remote sources and patches over 
> http and ftp, but since there's (currently) no way to verify downloaded 
> content the feature is disabled by default as its quite a security risk 
> to download arbitrary content from the internet without checking 
> checksums at least.

And note that it's as much Fedora policy as packaging stack capabilities
that prevents this happening at present: as discussed in another thread
it's a fundamental part of the Fedora packaging system's design that the
builders have no outside access, and it's the package maintainer's
explicit responsibility to provide the source files to the build system.
(The implication of this is that it is the package maintainer's
responsibility to provide, and verify that they are providing, the
_correct_ sources.)

We could of course build the smarts into the fedpkg layer - have some
fedpkg commands for checking out and building tarballs of SCM-hosted
content - but then you've just moved the security risk Panu mentioned to
that layer; if we do that it kind of sends a bad implication that it's
fine to just trust whatever you get from the SCM URL.

Thinking about this, it's one reason the style of doing 'git snapshot'
builds where you have Source0 be the last stable tarball and then
include the full patch series to master as generated by 'git
format-patch' as Patches could be considered superior to simply
including a git master snapshot tarball: at least if someone's concerned
about some kind of breach, they have an easily-verifiable base to work
off - as there should be an official checksum for the last release
tarball - and only have to check the patches for problems, rather than
checking the entire tree.

I think, to be honest, a lot of us as packagers slip some way short of
the 'ideals' here in day-to-day life, but that's probably no excuse for
making it _easier_ to avoid our responsibilities :)
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list