zarb-ml/mageia-dev/20100927/000299.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] Will this work for a build system?
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3C201009271131.19089.bgmilne%40multilinks.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000296.html">
   <LINK REL="Next"  HREF="000310.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] Will this work for a build system?</H1>
    <B>Buchan Milne</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3C201009271131.19089.bgmilne%40multilinks.com%3E"
       TITLE="[Mageia-dev] Will this work for a build system?">bgmilne at multilinks.com
       </A><BR>
    <I>Mon Sep 27 12:31:18 CEST 2010</I>
    <P><UL>
        <LI>Previous message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system?
</A></li>
        <LI>Next message: <A HREF="000310.html">[Mageia-dev] Will this work for a build system?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#299">[ date ]</a>
              <a href="thread.html#299">[ thread ]</a>
              <a href="subject.html#299">[ subject ]</a>
              <a href="author.html#299">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>On Monday, 27 September 2010 10:51:19 Giuseppe Ghib&#242; wrote:
&gt;<i> 2010/9/27 Michael Scherer &lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">misc at zarb.org</A>&gt;
</I>&gt;<i> 
</I>&gt;<i> &gt; Le lundi 27 septembre 2010 &#224; 03:19 +0200, vfmBOFH a &#233;crit :
</I>&gt;<i> &gt; &gt; What about virtualization?
</I>&gt;<i> &gt; &gt; 
</I>&gt;<i> &gt; &gt; Maybe we could set-up some kind of cluster of remote and dedicated
</I>&gt;<i> &gt; &gt; vm's as a
</I>&gt;<i> &gt; &gt; unique build system.
</I>
Are you familiar with how the Mandriva build cluster worked? If not, you 
should try and familiarise yourself with it first. While there are areas for 
improvement, most of the time it worked very effectively.

&gt;<i> &gt; &gt; Could be a good workaround over security and
</I>&gt;<i> &gt; &gt; integrity issues, 'cause we are using a &quot;single&quot; build system.
</I>
You need to explain further how &quot;remote&quot; VMs can be used to workaround 
security issues ...

&gt;<i> &gt; Well, how do you garantee that the person who have physical access do
</I>&gt;<i> &gt; not mess with the vm image ?
</I>
Again, as I said earlier, you need to be able to maintain the entire integrity 
of the build environment/tool chain, not just the source of software being 
compiled (to avoid trojaned compiler, possibly injected by trojan hypervisor 
etc.).

&gt;<i> &gt; Look at libvirt developers blog ( <A HREF="http://rwmj.wordpress.com/">http://rwmj.wordpress.com/</A> ) to see
</I>&gt;<i> &gt; how easy it can be to externally mess with a virtual instance if you are
</I>&gt;<i> &gt; root on the host computer.
</I>
&gt;<i> The only way of doing this is NOT letting anyone packaging or uploading a
</I>&gt;<i> tarball.
</I>
This is not the only requirement.

&gt;<i> Just have two different building system. One &quot;secure&quot; and the
</I>&gt;<i> other of contributors (not unsecure, but with less checking). The secure
</I>&gt;<i> one would download the tarball automatically from the original
</I>&gt;<i> repositories:
</I>&gt;<i> 
</I>&gt;<i> e.g.: suppose there is a package SPEC file containing:
</I>&gt;<i> 
</I>&gt;<i> Source: <A HREF="http://blabla.com/openssh-5.5-1.tar.xz">http://blabla.com/openssh-5.5-1.tar.xz</A>
</I>&gt;<i> Source1: <A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A>
</I>&gt;<i> 
</I>&gt;<i> An automatic system would try to retrieve from the <A HREF="http://blabla.com/">http://blabla.com/</A> site
</I>&gt;<i> the packages
</I>&gt;<i> <A HREF="http://blabla.com/openssh-5.5-1.tar.xz,">http://blabla.com/openssh-5.5-1.tar.xz,</A> or if not exists
</I>&gt;<i> <A HREF="http://blabla.com/openssh-5.5-1.tar.bz2">http://blabla.com/openssh-5.5-1.tar.bz2</A> or
</I>&gt;<i> <A HREF="http://blabla.com/openssh-5.5-1.tar.gz">http://blabla.com/openssh-5.5-1.tar.gz</A> or
</I>&gt;<i> <A HREF="http://blabla.com/openssh-5.5-1.tar.">http://blabla.com/openssh-5.5-1.tar.</A> Then would retrieve the signature
</I>&gt;<i> <A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A> and would check with the one from
</I>&gt;<i> the Database of signatures which has been already populated on the secure
</I>&gt;<i> system. If the signatures checking would match, then tarball would be
</I>&gt;<i> uploaded to the &quot;secure&quot; system svn and used for building instead of the
</I>&gt;<i> one from the contributor/package maintainer.
</I>&gt;<i> 
</I>&gt;<i> [Of course the system would fail if the package maintainer has downloaded
</I>&gt;<i> the source tarball from the svn and not from a canonical repository, and to
</I>&gt;<i> be further secure this system would require also signing of Patches].
</I>
IMHO, you should also keep the public keys of tarball signers. Please have a 
look at the samba SPEC file, which does verification of the tarball signature 
during %prep. In conjunction with the existing build tools (repsys/mdvsys 
etc.), a single command ('mdvsys update samba xxx') currently (usually) 
updates and submits the package, and building it at any time validates the 
source tarball.

Actually, I still need to petition other security-sensitive packages which 
have previously said that tarball signing is irrelevant (due to the problem of 
first establishing trust of public keys etc.).

Regards,
Buchan
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system?
</A></li>
	<LI>Next message: <A HREF="000310.html">[Mageia-dev] Will this work for a build system?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#299">[ date ]</a>
              <a href="thread.html#299">[ thread ]</a>
              <a href="subject.html#299">[ subject ]</a>
              <a href="author.html#299">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>