| 1 |
On Mon, Sep 08, 2003 at 01:32:45AM +0000, Jan Krueger wrote: |
| 2 |
> On Sunday 07 September 2003 20:35, Jon Portnoy wrote: |
| 3 |
> > What, that any situation involving installing software is going to have |
| 4 |
> > security holes? That's the nature of software installation. |
| 5 |
> |
| 6 |
> The gift of portage is a new quality of automated software installation |
| 7 |
> system, easy to use, never seen before. This is good. |
| 8 |
> |
| 9 |
> However by being a full automated software installation system portage has a |
| 10 |
> very high responsibilty for the integrity of the system it is run on. |
| 11 |
> |
| 12 |
> The discussion should have shown you, that the current portage can not bear |
| 13 |
> this responsibility. |
| 14 |
> |
| 15 |
> This thread showed and will continue to show: |
| 16 |
> ebuilds can overwrite any system file |
| 17 |
> ebuilds can wipe your box |
| 18 |
> ebuilds are affecting system integrity |
| 19 |
> ebuilds lack quality |
| 20 |
> |
| 21 |
> Some of you think this can be addressed by: |
| 22 |
> qa |
| 23 |
> signing ebuilds and files |
| 24 |
> |
| 25 |
> I say: |
| 26 |
> this is not sufficient. |
| 27 |
|
| 28 |
You haven't explained why it's not sufficient. |
| 29 |
|
| 30 |
> |
| 31 |
> Again examples from the actual tree, so you can try yourself: |
| 32 |
> 1. emerge ezmlm and emerge ezmlm-idx |
| 33 |
> providing slightly different funtionality they will overwrite each other |
| 34 |
> (instead of blocking each other) |
| 35 |
> |
| 36 |
|
| 37 |
Bug. Is it filed? |
| 38 |
|
| 39 |
> 2. emerge heartbeat (sys-cluster/heartbeat-1.0.3-r1, marked x86, so considered |
| 40 |
> stable) |
| 41 |
> If your emerge was successfull (it will be as long as you dont have snmp |
| 42 |
> installed), try to get it running! You wont! Then take a look at |
| 43 |
> bugs.gentoo.org since when important fixes are available. |
| 44 |
> |
| 45 |
> This two examples clearly show what the current qa is worth. (Well i respect |
| 46 |
> it very much, but its not perfect and never will be, thats qa, qa you for |
| 47 |
> sure know from other software/hardware products you use and used before, you |
| 48 |
> know the deficencies of qa then) |
| 49 |
> I am pretty sure you can post examples from the tree yourself. |
| 50 |
|
| 51 |
So we don't have enough manpower. I know that. The problem is finding |
| 52 |
good developers, people who're trustworthy and have a history of good |
| 53 |
contributions without a history of conflict. |
| 54 |
|
| 55 |
> |
| 56 |
> And to me its clear why it is like that (at least on reason): |
| 57 |
> If you compare the number of ebuilds to the number of CVS committers than you |
| 58 |
> will see, that it is impossible for each CVS-commiter to make a valuable |
| 59 |
> statement of the quality of the software and/or ebuild he/she is going to |
| 60 |
> commit. There are to many ebuilds. |
| 61 |
> |
| 62 |
> (i see this as an organizational deficiency of gentoo) |
| 63 |
> So it is probable that faulty ebuilds hit the tree. They are there actually. |
| 64 |
> |
| 65 |
> Conclusion for me: |
| 66 |
> I expect faulty ebuilds. they are there. (you will never wipe them out until |
| 67 |
> you change the organization of gentoo development to a more apropriate model, |
| 68 |
> and even then, you can only reduce the amount of faulty ebuilds. ebuilds are |
| 69 |
> software, software has bugs.) |
| 70 |
> |
| 71 |
> and therefore: |
| 72 |
> i hold portage responsible to protect my system from faulty ebuilds as much as |
| 73 |
> it can. |
| 74 |
> if not portage, who else? there is just me left, but then, i dont need |
| 75 |
> portage. |
| 76 |
> |
| 77 |
> I made several suggestions how portage can be improved to protect the system |
| 78 |
> it is run on. |
| 79 |
> -prevent ebuilds from modifying the life filesystem |
| 80 |
|
| 81 |
|
| 82 |
So basically you're saying portage shouldn't install software. |
| 83 |
|
| 84 |
> -allow the actual package install process only to add files to the filesystem |
| 85 |
> or to only modify/remove files that belong to an revision of the same ebuild |
| 86 |
> (qa would benefit from this suggestions too.) |
| 87 |
|
| 88 |
So we should never be able to tweak config files et al in an ebuild? |
| 89 |
|
| 90 |
> This would result in: |
| 91 |
> -enforced package integrity |
| 92 |
> -wiping my box from within the ebuild is no longer possible |
| 93 |
> Please implement the suggestions. |
| 94 |
|
| 95 |
What suggestions? As far as I can see, you haven't really suggested |
| 96 |
anything useful. I, on the other hand, have repeatedly told you how we |
| 97 |
can prevent these problems with solutions like GPG signing. You say |
| 98 |
that's not enough - and go on to make no real suggestions other than |
| 99 |
"this should be fixed!" |
| 100 |
|
| 101 |
Try being specific. |
| 102 |
|
| 103 |
> |
| 104 |
> Do you understand me? |
| 105 |
|
| 106 |
If you start getting patronizing with me, I'm going to apply an |
| 107 |
excellent patch that'll fix the entire issue - the procmailrc sort. I |
| 108 |
don't have time or patience for it. |
| 109 |
|
| 110 |
> |
| 111 |
> If still not, i will remind you of former times, when bootblock virii have |
| 112 |
> been very successfull. Why do you think they have been successfull and are no |
| 113 |
> longer? |
| 114 |
> Answer: Because it was possible to modify the bootblock. |
| 115 |
> |
| 116 |
> It is possible for an ebuild to wipe your box. |
| 117 |
> |
| 118 |
> So doesnt this scare you now? |
| 119 |
> |
| 120 |
> Jan |
| 121 |
|
| 122 |
No. It's also possible for a truck full of propane to run into |
| 123 |
my house. That doesn't encourage me to put up a concrete wall all around |
| 124 |
my house. |
| 125 |
|
| 126 |
-- |
| 127 |
Jon Portnoy |
| 128 |
avenj/irc.freenode.net |
| 129 |
|
| 130 |
-- |
| 131 |
gentoo-dev@g.o mailing list |
Archives