| 1 |
On Sun, 21 Jun 2009 17:00:01 +0200 |
| 2 |
Patrick Lauer <patrick@g.o> wrote: |
| 3 |
> > But generating that cache means running code, and one of the things |
| 4 |
> > that code could do is modify every overlay distributed by the box in |
| 5 |
> > question such that anyone using any of those overlays will run |
| 6 |
> > arbitrary code whenever they do emerge -p world. |
| 7 |
> |
| 8 |
> Good, this means we have to isolate it so that only each overlay |
| 9 |
> itself exists in an environment that generates the metadata cache. A |
| 10 |
> bit bothersome, but nothing more than adding a line or two to the |
| 11 |
> script(s) that drive(s) this process. |
| 12 |
|
| 13 |
So your process would be to clone a new VM for every overlay, add the |
| 14 |
overlay into that VM, do the generation and then grab the cache out of |
| 15 |
the VM? Ouch. |
| 16 |
|
| 17 |
> > There's a big difference between the levels of verification done for |
| 18 |
> > developers and that which is done for overlay maintainers. |
| 19 |
> > Currently, any overlay maintainer can root any box on which their |
| 20 |
> > overlay is used (whether or not anything from that overlay is |
| 21 |
> > installed). You're escalating this to any layman-listed overlay |
| 22 |
> > maintainer being able to root any box using any layman-listed |
| 23 |
> > overlay. |
| 24 |
> |
| 25 |
> Right, that would be silly. So ... we can restrict the whole concept |
| 26 |
> to official overlays if we want (trust and all that), and we can keep |
| 27 |
> separate environments per overlay to avoid cross-contamination. Which |
| 28 |
> keeps us about as exposed as the status quo, but we make updates and |
| 29 |
> dep calculation faster (at least for those overlays that are in a |
| 30 |
> sane condition). |
| 31 |
|
| 32 |
That's getting towards a more reasonable proposal. Although then if you |
| 33 |
decide you trust official overlays, the cross-contamination thing only |
| 34 |
needs to protect against accidental screw-ups, so you don't need the |
| 35 |
whole VM mess at all. |
| 36 |
|
| 37 |
> Y'know, what would be even more fun than this pingpong would be a |
| 38 |
> consistent counterproposal from you. Point out all the issues at once |
| 39 |
> instead of one per email and all that. |
| 40 |
|
| 41 |
I don't necessarily have a counterproposal. I don't think it's a bad |
| 42 |
idea in principle, I just don't think you've thought through the |
| 43 |
security implications. Once you do that, I don't see a way of doing this |
| 44 |
sensibly for overlays you don't absolutely totally trust. |
| 45 |
|
| 46 |
> Like this we're at the third or fourth iteration, people (including |
| 47 |
> me) get bored with the whole thread and some half-baked thing gets |
| 48 |
> implemented because only three people manage to read the mail thread |
| 49 |
> to its end ... |
| 50 |
|
| 51 |
You end up with half-baked proposals if you jump straight into doing |
| 52 |
something without repeatedly going over an idea until all the kinks are |
| 53 |
worked out. Some of the flaws in the proposal aren't immediately |
| 54 |
obvious and only come out after discussion. |
| 55 |
|
| 56 |
I realise you believe I'm perfect and all-knowing, and can instantly |
| 57 |
spot every single way your idea is flawed and immediately come up with |
| 58 |
a perfect alternative, and I don't blame you for that belief. However, |
| 59 |
a viable solution to this when untrusted overlays are involved doesn't |
| 60 |
immediately spring to mind, and if such a solution exists, experience |
| 61 |
suggests it'll only come about through possibly lengthy discussion, so |
| 62 |
I'd rather not prejudice you with my preconceptions. If you're not |
| 63 |
prepared to spend time discussing this, you'll definitely end up with |
| 64 |
something that's either highly limited in scope or that opens up a |
| 65 |
whole new avenue of abuse. |
| 66 |
|
| 67 |
-- |
| 68 |
Ciaran McCreesh |
Archives