Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 14:13:43
Message-Id: 1549289616.893.18.camel@gentoo.org
In Reply to: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] by Alexis Ballier
1 On Mon, 2019-02-04 at 15:04 +0100, Alexis Ballier wrote:
2 > On Mon, 04 Feb 2019 14:54:40 +0100
3 > Michał Górny <mgorny@g.o> wrote:
4 >
5 > > On Mon, 2019-02-04 at 14:48 +0100, Alexis Ballier wrote:
6 > > > On Mon, 04 Feb 2019 14:28:28 +0100
7 > > > Michał Górny <mgorny@g.o> wrote:
8 > > >
9 > > > > On Mon, 2019-02-04 at 11:58 +0100, Alexis Ballier wrote:
10 > > > > > On Sun, 03 Feb 2019 20:28:49 +0100
11 > > > > > Michał Górny <mgorny@g.o> wrote:
12 > > > > >
13 > > > > > > ---
14 > > > > > > What do you think?
15 > > > > > >
16 > > > > >
17 > > > > > What is the difference with sunrise ?
18 > > > >
19 > > > > The difference, as noted in the mail, is that it doesn't rely
20 > > > > on developers having time to review ebuilds. Therefore, it is
21 > > > > less likely to die because of developers lacking time to review
22 > > > > stuff.
23 > > >
24 > > >
25 > > > Then I fear you will see the same pitfalls, and it already started:
26 > > > I recall sunrise haters being very strongly against the idea
27 > > > because, TBH, our sandboxing mechanism isn't a real sandbox. It may
28 > > > have improved, but I doubt it's up to the point that we can safely
29 > > > run untrusted code there.
30 > >
31 > > Sandboxing has nothing to do with security, and trying to 'improve'
32 > > its security is a waste of time. What's the point of preventing
33 > > ebuilds from doing malicious things at build time if they can install
34 > > files that do malicious things afterwards?
35 >
36 >
37 > Because one may or may not run a malicious binary. You are more likely
38 > to install it. And even more likely to source the ebuild.
39
40 1. There are trivial ways to make you run something. Imagine an ebuild
41 installing into /etc/local.d. Or /etc/cron.d.
42
43 2. By design, postinst is run with full privileges. It is meant to
44 allow ebuilds to run stuff, as root.
45
46 --
47 Best regards,
48 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies