1 |
On Sunday 07 September 2003 20:35, Jon Portnoy wrote: |
2 |
> What, that any situation involving installing software is going to have |
3 |
> security holes? That's the nature of software installation. |
4 |
|
5 |
The gift of portage is a new quality of automated software installation |
6 |
system, easy to use, never seen before. This is good. |
7 |
|
8 |
However by being a full automated software installation system portage has a |
9 |
very high responsibilty for the integrity of the system it is run on. |
10 |
|
11 |
The discussion should have shown you, that the current portage can not bear |
12 |
this responsibility. |
13 |
|
14 |
This thread showed and will continue to show: |
15 |
ebuilds can overwrite any system file |
16 |
ebuilds can wipe your box |
17 |
ebuilds are affecting system integrity |
18 |
ebuilds lack quality |
19 |
|
20 |
Some of you think this can be addressed by: |
21 |
qa |
22 |
signing ebuilds and files |
23 |
|
24 |
I say: |
25 |
this is not sufficient. |
26 |
|
27 |
Again examples from the actual tree, so you can try yourself: |
28 |
1. emerge ezmlm and emerge ezmlm-idx |
29 |
providing slightly different funtionality they will overwrite each other |
30 |
(instead of blocking each other) |
31 |
|
32 |
2. emerge heartbeat (sys-cluster/heartbeat-1.0.3-r1, marked x86, so considered |
33 |
stable) |
34 |
If your emerge was successfull (it will be as long as you dont have snmp |
35 |
installed), try to get it running! You wont! Then take a look at |
36 |
bugs.gentoo.org since when important fixes are available. |
37 |
|
38 |
This two examples clearly show what the current qa is worth. (Well i respect |
39 |
it very much, but its not perfect and never will be, thats qa, qa you for |
40 |
sure know from other software/hardware products you use and used before, you |
41 |
know the deficencies of qa then) |
42 |
I am pretty sure you can post examples from the tree yourself. |
43 |
|
44 |
And to me its clear why it is like that (at least on reason): |
45 |
If you compare the number of ebuilds to the number of CVS committers than you |
46 |
will see, that it is impossible for each CVS-commiter to make a valuable |
47 |
statement of the quality of the software and/or ebuild he/she is going to |
48 |
commit. There are to many ebuilds. |
49 |
|
50 |
(i see this as an organizational deficiency of gentoo) |
51 |
So it is probable that faulty ebuilds hit the tree. They are there actually. |
52 |
|
53 |
Conclusion for me: |
54 |
I expect faulty ebuilds. they are there. (you will never wipe them out until |
55 |
you change the organization of gentoo development to a more apropriate model, |
56 |
and even then, you can only reduce the amount of faulty ebuilds. ebuilds are |
57 |
software, software has bugs.) |
58 |
|
59 |
and therefore: |
60 |
i hold portage responsible to protect my system from faulty ebuilds as much as |
61 |
it can. |
62 |
if not portage, who else? there is just me left, but then, i dont need |
63 |
portage. |
64 |
|
65 |
I made several suggestions how portage can be improved to protect the system |
66 |
it is run on. |
67 |
-prevent ebuilds from modifying the life filesystem |
68 |
-allow the actual package install process only to add files to the filesystem |
69 |
or to only modify/remove files that belong to an revision of the same ebuild |
70 |
(qa would benefit from this suggestions too.) |
71 |
This would result in: |
72 |
-enforced package integrity |
73 |
-wiping my box from within the ebuild is no longer possible |
74 |
Please implement the suggestions. |
75 |
|
76 |
Do you understand me? |
77 |
|
78 |
If still not, i will remind you of former times, when bootblock virii have |
79 |
been very successfull. Why do you think they have been successfull and are no |
80 |
longer? |
81 |
Answer: Because it was possible to modify the bootblock. |
82 |
|
83 |
It is possible for an ebuild to wipe your box. |
84 |
|
85 |
So doesnt this scare you now? |
86 |
|
87 |
Jan |
88 |
|
89 |
|
90 |
-- |
91 |
gentoo-dev@g.o mailing list |