1 |
On Sun, 21 Jun 2009 17:00:01 +0200 |
2 |
Patrick Lauer <patrick@g.o> wrote: |
3 |
> > But generating that cache means running code, and one of the things |
4 |
> > that code could do is modify every overlay distributed by the box in |
5 |
> > question such that anyone using any of those overlays will run |
6 |
> > arbitrary code whenever they do emerge -p world. |
7 |
> |
8 |
> Good, this means we have to isolate it so that only each overlay |
9 |
> itself exists in an environment that generates the metadata cache. A |
10 |
> bit bothersome, but nothing more than adding a line or two to the |
11 |
> script(s) that drive(s) this process. |
12 |
|
13 |
So your process would be to clone a new VM for every overlay, add the |
14 |
overlay into that VM, do the generation and then grab the cache out of |
15 |
the VM? Ouch. |
16 |
|
17 |
> > There's a big difference between the levels of verification done for |
18 |
> > developers and that which is done for overlay maintainers. |
19 |
> > Currently, any overlay maintainer can root any box on which their |
20 |
> > overlay is used (whether or not anything from that overlay is |
21 |
> > installed). You're escalating this to any layman-listed overlay |
22 |
> > maintainer being able to root any box using any layman-listed |
23 |
> > overlay. |
24 |
> |
25 |
> Right, that would be silly. So ... we can restrict the whole concept |
26 |
> to official overlays if we want (trust and all that), and we can keep |
27 |
> separate environments per overlay to avoid cross-contamination. Which |
28 |
> keeps us about as exposed as the status quo, but we make updates and |
29 |
> dep calculation faster (at least for those overlays that are in a |
30 |
> sane condition). |
31 |
|
32 |
That's getting towards a more reasonable proposal. Although then if you |
33 |
decide you trust official overlays, the cross-contamination thing only |
34 |
needs to protect against accidental screw-ups, so you don't need the |
35 |
whole VM mess at all. |
36 |
|
37 |
> Y'know, what would be even more fun than this pingpong would be a |
38 |
> consistent counterproposal from you. Point out all the issues at once |
39 |
> instead of one per email and all that. |
40 |
|
41 |
I don't necessarily have a counterproposal. I don't think it's a bad |
42 |
idea in principle, I just don't think you've thought through the |
43 |
security implications. Once you do that, I don't see a way of doing this |
44 |
sensibly for overlays you don't absolutely totally trust. |
45 |
|
46 |
> Like this we're at the third or fourth iteration, people (including |
47 |
> me) get bored with the whole thread and some half-baked thing gets |
48 |
> implemented because only three people manage to read the mail thread |
49 |
> to its end ... |
50 |
|
51 |
You end up with half-baked proposals if you jump straight into doing |
52 |
something without repeatedly going over an idea until all the kinks are |
53 |
worked out. Some of the flaws in the proposal aren't immediately |
54 |
obvious and only come out after discussion. |
55 |
|
56 |
I realise you believe I'm perfect and all-knowing, and can instantly |
57 |
spot every single way your idea is flawed and immediately come up with |
58 |
a perfect alternative, and I don't blame you for that belief. However, |
59 |
a viable solution to this when untrusted overlays are involved doesn't |
60 |
immediately spring to mind, and if such a solution exists, experience |
61 |
suggests it'll only come about through possibly lengthy discussion, so |
62 |
I'd rather not prejudice you with my preconceptions. If you're not |
63 |
prepared to spend time discussing this, you'll definitely end up with |
64 |
something that's either highly limited in scope or that opens up a |
65 |
whole new avenue of abuse. |
66 |
|
67 |
-- |
68 |
Ciaran McCreesh |