1 |
On Mon, Sep 08, 2003 at 01:32:45AM +0000, Jan Krueger wrote: |
2 |
> On Sunday 07 September 2003 20:35, Jon Portnoy wrote: |
3 |
> > What, that any situation involving installing software is going to have |
4 |
> > security holes? That's the nature of software installation. |
5 |
> |
6 |
> The gift of portage is a new quality of automated software installation |
7 |
> system, easy to use, never seen before. This is good. |
8 |
> |
9 |
> However by being a full automated software installation system portage has a |
10 |
> very high responsibilty for the integrity of the system it is run on. |
11 |
> |
12 |
> The discussion should have shown you, that the current portage can not bear |
13 |
> this responsibility. |
14 |
> |
15 |
> This thread showed and will continue to show: |
16 |
> ebuilds can overwrite any system file |
17 |
> ebuilds can wipe your box |
18 |
> ebuilds are affecting system integrity |
19 |
> ebuilds lack quality |
20 |
> |
21 |
> Some of you think this can be addressed by: |
22 |
> qa |
23 |
> signing ebuilds and files |
24 |
> |
25 |
> I say: |
26 |
> this is not sufficient. |
27 |
|
28 |
You haven't explained why it's not sufficient. |
29 |
|
30 |
> |
31 |
> Again examples from the actual tree, so you can try yourself: |
32 |
> 1. emerge ezmlm and emerge ezmlm-idx |
33 |
> providing slightly different funtionality they will overwrite each other |
34 |
> (instead of blocking each other) |
35 |
> |
36 |
|
37 |
Bug. Is it filed? |
38 |
|
39 |
> 2. emerge heartbeat (sys-cluster/heartbeat-1.0.3-r1, marked x86, so considered |
40 |
> stable) |
41 |
> If your emerge was successfull (it will be as long as you dont have snmp |
42 |
> installed), try to get it running! You wont! Then take a look at |
43 |
> bugs.gentoo.org since when important fixes are available. |
44 |
> |
45 |
> This two examples clearly show what the current qa is worth. (Well i respect |
46 |
> it very much, but its not perfect and never will be, thats qa, qa you for |
47 |
> sure know from other software/hardware products you use and used before, you |
48 |
> know the deficencies of qa then) |
49 |
> I am pretty sure you can post examples from the tree yourself. |
50 |
|
51 |
So we don't have enough manpower. I know that. The problem is finding |
52 |
good developers, people who're trustworthy and have a history of good |
53 |
contributions without a history of conflict. |
54 |
|
55 |
> |
56 |
> And to me its clear why it is like that (at least on reason): |
57 |
> If you compare the number of ebuilds to the number of CVS committers than you |
58 |
> will see, that it is impossible for each CVS-commiter to make a valuable |
59 |
> statement of the quality of the software and/or ebuild he/she is going to |
60 |
> commit. There are to many ebuilds. |
61 |
> |
62 |
> (i see this as an organizational deficiency of gentoo) |
63 |
> So it is probable that faulty ebuilds hit the tree. They are there actually. |
64 |
> |
65 |
> Conclusion for me: |
66 |
> I expect faulty ebuilds. they are there. (you will never wipe them out until |
67 |
> you change the organization of gentoo development to a more apropriate model, |
68 |
> and even then, you can only reduce the amount of faulty ebuilds. ebuilds are |
69 |
> software, software has bugs.) |
70 |
> |
71 |
> and therefore: |
72 |
> i hold portage responsible to protect my system from faulty ebuilds as much as |
73 |
> it can. |
74 |
> if not portage, who else? there is just me left, but then, i dont need |
75 |
> portage. |
76 |
> |
77 |
> I made several suggestions how portage can be improved to protect the system |
78 |
> it is run on. |
79 |
> -prevent ebuilds from modifying the life filesystem |
80 |
|
81 |
|
82 |
So basically you're saying portage shouldn't install software. |
83 |
|
84 |
> -allow the actual package install process only to add files to the filesystem |
85 |
> or to only modify/remove files that belong to an revision of the same ebuild |
86 |
> (qa would benefit from this suggestions too.) |
87 |
|
88 |
So we should never be able to tweak config files et al in an ebuild? |
89 |
|
90 |
> This would result in: |
91 |
> -enforced package integrity |
92 |
> -wiping my box from within the ebuild is no longer possible |
93 |
> Please implement the suggestions. |
94 |
|
95 |
What suggestions? As far as I can see, you haven't really suggested |
96 |
anything useful. I, on the other hand, have repeatedly told you how we |
97 |
can prevent these problems with solutions like GPG signing. You say |
98 |
that's not enough - and go on to make no real suggestions other than |
99 |
"this should be fixed!" |
100 |
|
101 |
Try being specific. |
102 |
|
103 |
> |
104 |
> Do you understand me? |
105 |
|
106 |
If you start getting patronizing with me, I'm going to apply an |
107 |
excellent patch that'll fix the entire issue - the procmailrc sort. I |
108 |
don't have time or patience for it. |
109 |
|
110 |
> |
111 |
> If still not, i will remind you of former times, when bootblock virii have |
112 |
> been very successfull. Why do you think they have been successfull and are no |
113 |
> longer? |
114 |
> Answer: Because it was possible to modify the bootblock. |
115 |
> |
116 |
> It is possible for an ebuild to wipe your box. |
117 |
> |
118 |
> So doesnt this scare you now? |
119 |
> |
120 |
> Jan |
121 |
|
122 |
No. It's also possible for a truck full of propane to run into |
123 |
my house. That doesn't encourage me to put up a concrete wall all around |
124 |
my house. |
125 |
|
126 |
-- |
127 |
Jon Portnoy |
128 |
avenj/irc.freenode.net |
129 |
|
130 |
-- |
131 |
gentoo-dev@g.o mailing list |