[Mageia-dev] Will this work for a build system?

Mon Sep 27 12:31:18 CEST 2010

On Monday, 27 September 2010 10:51:19 Giuseppe Ghibò wrote:
+> 2010/9/27 Michael Scherer <misc at zarb.org>
+> 
+> > Le lundi 27 septembre 2010 à 03:19 +0200, vfmBOFH a écrit :
+> > > What about virtualization?
+> > > 
+> > > Maybe we could set-up some kind of cluster of remote and dedicated
+> > > vm's as a
+> > > unique build system.
+
+Are you familiar with how the Mandriva build cluster worked? If not, you 
+should try and familiarise yourself with it first. While there are areas for 
+improvement, most of the time it worked very effectively.
+
+> > > Could be a good workaround over security and
+> > > integrity issues, 'cause we are using a "single" build system.
+
+You need to explain further how "remote" VMs can be used to workaround 
+security issues ...
+
+> > Well, how do you garantee that the person who have physical access do
+> > not mess with the vm image ?
+
+Again, as I said earlier, you need to be able to maintain the entire integrity 
+of the build environment/tool chain, not just the source of software being 
+compiled (to avoid trojaned compiler, possibly injected by trojan hypervisor 
+etc.).
+
+> > Look at libvirt developers blog ( http://rwmj.wordpress.com/ ) to see
+> > how easy it can be to externally mess with a virtual instance if you are
+> > root on the host computer.
+
+> The only way of doing this is NOT letting anyone packaging or uploading a
+> tarball.
+
+This is not the only requirement.
+
+> Just have two different building system. One "secure" and the
+> other of contributors (not unsecure, but with less checking). The secure
+> one would download the tarball automatically from the original
+> repositories:
+> 
+> e.g.: suppose there is a package SPEC file containing:
+> 
+> Source: http://blabla.com/openssh-5.5-1.tar.xz
+> Source1: http://blabla.com/openssh-5.5.1.tar.sig
+> 
+> An automatic system would try to retrieve from the http://blabla.com/ site
+> the packages
+> http://blabla.com/openssh-5.5-1.tar.xz, or if not exists
+> http://blabla.com/openssh-5.5-1.tar.bz2 or
+> http://blabla.com/openssh-5.5-1.tar.gz or
+> http://blabla.com/openssh-5.5-1.tar. Then would retrieve the signature
+> http://blabla.com/openssh-5.5.1.tar.sig and would check with the one from
+> the Database of signatures which has been already populated on the secure
+> system. If the signatures checking would match, then tarball would be
+> uploaded to the "secure" system svn and used for building instead of the
+> one from the contributor/package maintainer.
+> 
+> [Of course the system would fail if the package maintainer has downloaded
+> the source tarball from the svn and not from a canonical repository, and to
+> be further secure this system would require also signing of Patches].
+
+IMHO, you should also keep the public keys of tarball signers. Please have a 
+look at the samba SPEC file, which does verification of the tarball signature 
+during %prep. In conjunction with the existing build tools (repsys/mdvsys 
+etc.), a single command ('mdvsys update samba xxx') currently (usually) 
+updates and submits the package, and building it at any time validates the 
+source tarball.
+
+Actually, I still need to petition other security-sensitive packages which 
+have previously said that tarball signing is irrelevant (due to the problem of 
+first establishing trust of public keys etc.).
+
+Regards,
+Buchan
+