[packman] Packman security policy questions

Pascal Bleser pascal.bleser at skynet.be
Sat Nov 3 14:25:00 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aniruddha wrote:
> On Sat, 2007-11-03 at 12:23 +0100, Pascal Bleser wrote:
[...]
> Thanks you for all your answers
> 
>> I don't know what world you're living in but we're not paid to do this,
>> we do it during our spare time, and it's a considerable effort and
>> amount of time, health, and commitment going into this from every single
>> member of the team. It's totally unrealistic and just plain impossible
>> for us to provide SLAs, maximum response time guarantees or whatever.
>> Get real.
>>
>> If you want a really secure environment (_if_ you actually need that
>> level of paranoia), then only use the packages that come with the
>> distribution.
>>
>> And as the Subversion team likes to put it: "patches are welcome"
> 
> Pascal, in the world I live people don't regards questions as personal
> attacks. Nor do they feel the need to talk in a demeaning manner. How
> tempting it might be I am not going to lower myself to this level of
> discussion.

Huh ?
Something is just seriously wrong with the tone, criticizing all the
time, wrong facts and you messing up replies and arguments all the time.
It's damn close to trolling. That's what is getting yourself such
replies. It's that simple, really.
And I don't see where I was personally attacking you. Actually you're
the one who turns every reply into being a personal attack.

Reference for the others on the list:
http://lists.opensuse.org/opensuse-buildservice/2007-11/
and the dozen of "How secure is openSUSE build service ?" threads.

> I own my own IT company, I have to know 100% certain what I offer my
> costumers. Companies rely on me for a good solid advice. Operating
> systems are just a tool for me, nothing more.

You cannot "know 100% certain what you offer to your customers".
You'd have to either write all the source code yourself, or audit all
the source code yourself (and actually have such a deep understanding of
environments, programming languages etc.. to actually understand exactly
that every single line of C/C++/Python/Ruby/Java/C#/PHP/bash/perl source
code does), or trust others.
Either you trust the authors of each individual piece of software as
well as the packagers, or you defer the trusting to another business
that has enough time, people, money to have QA processes, QA teams,
etc... (e.g. Novell (SLED/SLES), Redhat (RHEL), Canonical (Ubuntu LTS)).

> Apparently openSUSE/SLED doesn't offer the solution I need. That's fine
> with me. I'll just go on and advice another 'tool' that does offer the
> kind of security I need.
> 
> Gentoo for example is 100% free, it's entirely maintained by volunteers,
> and has the highest security standards in the industry:
> http://www.gentoo.org/doc/en/security/index.xml
> http://www.gentoo.org/security/en/index.xml
> http://www.gentoo.org/security/en/vulnerability-policy.xml
> http://www.gentoo.org/security/en/coordinator_guide.xml

Get SLES or SLED, they provide the same security levels, SLAs and
whatever you need. Plus you actually get a contract and an SLA, support,
hotline, guarantees. The above give you near nothing because no one is
liable for it. It might be a code of conduct, a best effort, an
intention (which is great if it really works), but still no guarantee at
all. What will happen if the maintainer or one of the maintainers of
gentoo's MPlayer ebuild is on holidays a few days ? Will he be fired ?
Will someone else from the QA team pick it up, build it, test it ?
And with gentoo it gives you nothing, because you still have to get your
customers to rebuild the software in question on their hosts, supposedly
with a long downtime.

> Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is
> possible to make a very secure distribution with only volunteers.

Sure, if it makes you feel better by thinking it does.
If you really want to go by a hardened and secure environment, then go
for OpenBSD. But you will always get the tradeoffs, with any environment
that is really secure. And it seems that you're targetting desktop
systems. That sounds like a lot of fun :)

Just show me where SLED/SLES/openSUSE/Packman was too slow at shipping
security fixes or caused harm by not pushing out updates fast enough.

Note that that's exactly the sort of argumentation I was referring to.
By telling people they suck idiots because others supposedly do it
better (with lots of wrong "facts" btw, such as Debian shipping patent
encumbered codecs in their main repository, or MP3 just being an
"ethical problem" and not a legal one, or stating that every single of
the 20000+ packages in the Debian repository undergoes heavy security
checks by their maintainers -- plain wrong, but you never reply to
people telling you that) and "threatening" to use another distribution,
what.. you don't actually expect people to give constructive replies,
don't you ? ;)

But if you prefer Gentoo, Debian, Ubuntu, FreeBSD or whatever, those are
fine distributions as well, just go for it. Don't think that anyone
cares about what distribution you and your customers will be using, that
sort of "threatening" just does not work at all.

What Toni and I tried to explain to you (and what you just dubbed as
being a personal attack, for whatever reason) is that we cannot possibly
perform security audits on every single package we build.
It's not feasible for several reasons:
- - we would need to be 50 people working on it at least, full time, with
everyone just tracking 20 projects or so, not more
- - we would probably have to restrict the number of packages that we
provide (and you don't what that now, do you ?)
- - we would need a lot of funding and a lot of hardware to perform
security checks, shorter update delivery, automated QA, manual QA procedures

We have neither of that. What we provide to the community is huge
amounts of our spare time committed to give them software they can
install easily on their distribution in the latest version and
uncrippled, with of course a best effort in terms of new releases,
bugfixes and security fixes. But we totally rely on upstream (= the
software authors), as almost everyone else does.
You have to trust both upstream (authors) and downstream (packagers),
that's all. And it's exactly the same with Debian, Ubuntu, Gentoo,
others. Because Gentoo may well have some policies and intentions, but
it doesn't technically prevent them from skipping their QA or adding
something harmful into the packages/ebuilds.

If you have some constructive feedback, some realistic ideas on how to
do it, want to contribute to the project, fine, be our guest (that was
the meaning of "patches are welcome").

cheers
- --
  -o) Pascal Bleser     http://linux01.gwdg.de/~pbleser/
  /\\ <pascal.bleser at skynet.be>       <guru at unixtech.be>
 _\_v The more things change, the more they stay insane.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHLHasr3NMWliFcXcRAorrAKCDa92oyspbzw5lqrxB67v/ZvqbSACgvJYq
HQYECcFEX/LpLubqfQ17lXE=
=yW9w
-----END PGP SIGNATURE-----

More information about the Packman mailing list