zarb-ml/mageia-dev/20100927/000295.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] Will this work for a build system?
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3CAANLkTikjmMcDvmtwAZ_Qw3Q%2BWj5B%3Dg8F5sL9RiPnCGa5%40mail.gmail.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000292.html">
   <LINK REL="Next"  HREF="000296.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] Will this work for a build system?</H1>
    <B>Giuseppe Ghib&#242;</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3CAANLkTikjmMcDvmtwAZ_Qw3Q%2BWj5B%3Dg8F5sL9RiPnCGa5%40mail.gmail.com%3E"
       TITLE="[Mageia-dev] Will this work for a build system?">ghibomgx at gmail.com
       </A><BR>
    <I>Mon Sep 27 11:51:19 CEST 2010</I>
    <P><UL>
        <LI>Previous message: <A HREF="000292.html">[Mageia-dev] Will this work for a build system?
</A></li>
        <LI>Next message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#295">[ date ]</a>
              <a href="thread.html#295">[ thread ]</a>
              <a href="subject.html#295">[ subject ]</a>
              <a href="author.html#295">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>2010/9/27 Michael Scherer &lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">misc at zarb.org</A>&gt;

&gt;<i> Le lundi 27 septembre 2010 &#224; 03:19 +0200, vfmBOFH a &#233;crit :
</I>&gt;<i> &gt; What about virtualization?
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; Maybe we could set-up some kind of cluster of remote and dedicated
</I>&gt;<i> &gt; vm's as a
</I>&gt;<i> &gt; unique build system. Could be a good workaround over security and
</I>&gt;<i> &gt; integrity issues, 'cause we are using a &quot;single&quot; build system.
</I>&gt;<i>
</I>&gt;<i> Well, how do you garantee that the person who have physical access do
</I>&gt;<i> not mess with the vm image ?
</I>&gt;<i>
</I>&gt;<i> Look at libvirt developers blog ( <A HREF="http://rwmj.wordpress.com/">http://rwmj.wordpress.com/</A> ) to see
</I>&gt;<i> how easy it can be to externally mess with a virtual instance if you are
</I>&gt;<i> root on the host computer.
</I>&gt;<i> --
</I>&gt;<i> Michael Scherer
</I>&gt;<i>
</I>&gt;<i>
</I>The only way of doing this is NOT letting anyone packaging or uploading a
tarball. Just have two different building system. One &quot;secure&quot; and the other
of contributors (not unsecure, but with less checking). The secure one would
download the tarball automatically from the original repositories:

e.g.: suppose there is a package SPEC file containing:

Source: <A HREF="http://blabla.com/openssh-5.5-1.tar.xz">http://blabla.com/openssh-5.5-1.tar.xz</A>
Source1: <A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A>

An automatic system would try to retrieve from the <A HREF="http://blabla.com/">http://blabla.com/</A> site
the packages
<A HREF="http://blabla.com/openssh-5.5-1.tar.xz,">http://blabla.com/openssh-5.5-1.tar.xz,</A> or if not exists
<A HREF="http://blabla.com/openssh-5.5-1.tar.bz2">http://blabla.com/openssh-5.5-1.tar.bz2</A> or
<A HREF="http://blabla.com/openssh-5.5-1.tar.gz">http://blabla.com/openssh-5.5-1.tar.gz</A> or
<A HREF="http://blabla.com/openssh-5.5-1.tar.">http://blabla.com/openssh-5.5-1.tar.</A> Then would retrieve the signature
<A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A> and would check with the one from
the Database of signatures which has been already populated on the secure
system. If the signatures checking would match, then tarball would be
uploaded to the &quot;secure&quot; system svn and used for building instead of the one
from the contributor/package maintainer.

[Of course the system would fail if the package maintainer has downloaded
the source tarball from the svn and not from a canonical repository, and to
be further secure this system would require also signing of Patches].

Bye.
Giuseppe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;/pipermail/mageia-dev/attachments/20100927/dc48d94c/attachment.html&gt;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000292.html">[Mageia-dev] Will this work for a build system?
</A></li>
	<LI>Next message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#295">[ date ]</a>
              <a href="thread.html#295">[ thread ]</a>
              <a href="subject.html#295">[ subject ]</a>
              <a href="author.html#295">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>