[packman] Packman security policy questions

[Aniruddha]

Pascal,

I'm done talking to you. I tried my best to explain myself but
apparently I can't get my message across. I'll refrain to address only
some points you made.

On Sat, 2007-11-03 at 14:25 +0100, Pascal Bleser wrote:
> >> I don't know what world you're living in but we're not paid to do this,
> >> we do it during our spare time, and it's a considerable effort and
> >> amount of time, health, and commitment going into this from every single
> >> member of the team. It's totally unrealistic and just plain impossible
> >> for us to provide SLAs, maximum response time guarantees or whatever.
> >> Get real.
> >>
> >> If you want a really secure environment (_if_ you actually need that
> >> level of paranoia), then only use the packages that come with the
> >> distribution.
> >>
> >> And as the Subversion team likes to put it: "patches are welcome"
> > 
> > Pascal, in the world I live people don't regards questions as personal
> > attacks. Nor do they feel the need to talk in a demeaning manner. How
> > tempting it might be I am not going to lower myself to this level of
> > discussion.
> 
> Huh ?
> Something is just seriously wrong with the tone, criticizing all the
> time, wrong facts and you messing up replies and arguments all the time.
> It's damn close to trolling. That's what is getting yourself such
> replies. It's that simple, really.
> And I don't see where I was personally attacking you. Actually you're
> the one who turns every reply into being a personal attack.
> 
> Reference for the others on the list:
> http://lists.opensuse.org/opensuse-buildservice/2007-11/
> and the dozen of "How secure is openSUSE build service ?" threads.

Thanks for providing the link. I'll leave it up to others to decide for
themselves whether I am trolling or not.  

> You cannot "know 100% certain what you offer to your customers".
> You'd have to either write all the source code yourself, or audit all
> the source code yourself (and actually have such a deep understanding of
> environments, programming languages etc.. to actually understand exactly
> that every single line of C/C++/Python/Ruby/Java/C#/PHP/bash/perl source
> code does), or trust others.

True. 

> Get SLES or SLED, they provide the same security levels, SLAs and
> whatever you need. Plus you actually get a contract and an SLA, support,
> hotline, guarantees. The above give you near nothing because no one is
> liable for it. It might be a code of conduct, a best effort, an
> intention (which is great if it really works), but still no guarantee at
> all. What will happen if the maintainer or one of the maintainers of
> gentoo's MPlayer ebuild is on holidays a few days ? Will he be fired ?
> Will someone else from the QA team pick it up, build it, test it ?

SLED is too expensive for the home user. 

> And with gentoo it gives you nothing, because you still have to get your
> customers to rebuild the software in question on their hosts, supposedly
> with a long downtime.

One word: binhost

> 
> > Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is
> > possible to make a very secure distribution with only volunteers.
> 
> Sure, if it makes you feel better by thinking it does.
> If you really want to go by a hardened and secure environment, then go
> for OpenBSD. But you will always get the tradeoffs, with any environment
> that is really secure. And it seems that you're targetting desktop
> systems. That sounds like a lot of fun :)

> 
> Just show me where SLED/SLES/openSUSE/Packman was too slow at shipping
> security fixes or caused harm by not pushing out updates fast enough.

I never stated that SLED/SLES/openSUSE/Packman "as too slow at shipping
security fixes or caused harm by not pushing out updates fast enough" .
In fact I repeatedly stated (see "How secure is openSUSE build
service ?" link) that I trust the packman en openSUSE repo's for 100%

> 
> Note that that's exactly the sort of argumentation I was referring to.
> By telling people they suck idiots because others supposedly do it
> better 

I never said something that comes even close to "they suck idiots
because others supposedly do it better" 

> (with lots of wrong "facts" btw, such as Debian shipping patent
> encumbered codecs in their main repository,

Again I never stated that "Debian shipping patent encumbered codecs in
their main repository". I only said Debian has patent encumbered codecs
(mp3 not dvd) available. Which are in the non-free repos.

>  or MP3 just being an
> "ethical problem" and not a legal one, 

That depends on where you live.

> or stating that every single of
> the 20000+ packages in the Debian repository undergoes heavy security
> checks by their maintainers -- plain wrong, but you never reply to
> people telling you that) and 


> "threatening" to use another distribution,

Like I said I don't care which distro I use, For me it's just a tool.
Therefor I see no use in "threatening" to use another distribution.

> what.. you don't actually expect people to give constructive replies,
> don't you ? ;)

You never bothered  to give constructive replies in the first place.

> But if you prefer Gentoo, Debian, Ubuntu, FreeBSD or whatever, those are
> fine distributions as well, just go for it. Don't think that anyone
> cares about what distribution you and your customers will be using, that
> sort of "threatening" just does not work at all.

Like I don't said I don't prefer any distro all have their positive and
negative points.

> What Toni and I tried to explain to you (and what you just dubbed as
> being a personal attack, for whatever reason) is that we cannot possibly
> perform security audits on every single package we build.
> It's not feasible for several reasons:
> - - we would need to be 50 people working on it at least, full time, with
> everyone just tracking 20 projects or so, not more
> - - we would probably have to restrict the number of packages that we
> provide (and you don't what that now, do you ?)
> - - we would need a lot of funding and a lot of hardware to perform
> security checks, shorter update delivery, automated QA, manual QA procedures

I never asked for security audits. I only wanted to know which security
procedure the packman devs use. Just reread my initial post.



> We have neither of that. What we provide to the community is huge
> amounts of our spare time committed to give them software they can
> install easily on their distribution in the latest version and
> uncrippled, with of course a best effort in terms of new releases,
> bugfixes and security fixes. But we totally rely on upstream (= the
> software authors), as almost everyone else does.

> You have to trust both upstream (authors) and downstream (packagers),
> that's all. And it's exactly the same with Debian, Ubuntu, Gentoo,
> others. Because Gentoo may well have some policies and intentions, but
> it doesn't technically prevent them from skipping their QA or adding
> something harmful into the packages/ebuilds.

Fortunately they do have a testing tree, that can prevent a lot of harm.

> 
> If you have some constructive feedback, some realistic ideas on how to
> do it, want to contribute to the project, fine, be our guest (that was
> the meaning of "patches are welcome").

I tried my best to give constructive feedback but these have fallen to
deaf ears.