[packman] Packman security policy questions

Andreas Schneider mail at cynapses.org
Sat Nov 3 23:35:57 CET 2007

Aniruddha wrote:
> On Sat, 2007-11-03 at 21:20 +0100, Andreas Schneider wrote:
>> Aniruddha wrote:
>>> Actually this is even more easy then it sounds (and I am not a
>>> programmer). It only requires to document some simple rules for package
>>> handling (e.g. that packager should check for malware, and the
>>> monitoring of some standard security bulletins).
>> It is easy? Ok.
>> How should we check a new version of an application/program for malware?
>> 	-- andreas
> Let's first define the context
> 1 We trust the author of the original package.
> 2 Checking for malware is only to prevent the (very slight chance) that
> $upstream get's hacked and it's packages are modified to provide a
> backdoor (rootkit, trojan).
> 3 We do not want to do a complete source audit, since it's too time
> consuming and probably not necessary.
> Now on the the question how to check a new version of an
> application/program for malware. Since I am not a programmer I do not
> not know a lot of screening sourcecode. I did understand however (from

Sorry, why do you talk about things here you don't know about? You do this
already the whole discussion on the opensuse list and here.

> (people who do know how to program) that a malicious modification should
> be easy to spot. Can you confirm this?

You guess that it easy to spot. I can't confirm this. Don't assume things you
don't know anything about.
Pascal already mentioned that this is a full time job for a packager with only
20 packages.

> Here are some general ideas
> -How can we make sure $upstream arrives untampered? I do think that md5
> of shasum checking is essential in order to verify that a package
> arrives exactly as $upstream provides it.

MD5SUMs are not always available. I trust that developers can upload their
code to a certain location and that they use secure passwords.

> -Put some kind of scanning (f-prot, kaspersky) software on the Packman
> repo's.

What should it detect, Windows viruses?

> -The expertise and experience of the packagers is also an important
> factor. This experience makes that packagers could potentially see
> faster when something is out of the ordinary.

That's the fact for the Packman Team and the packages using the Build Service.
If you package an application you're normally familiar with it or help to
develop it. You test your package before you release it.

> -Set up a testing branch that people like me can use. I use rkhunter and
> chrootkit and therefor I should be able to spot problems beforehand.

Lol. You're paranoid an think that those tools will prevent you from malware
or crackers. rkhunter and chrootkit is something against script kiddies and
nothing else.

> When no problems have been reported for some while the rpm's can be
> moved to stable.

There is only a small amount of people who really test such RPMs and report
back. Most of the people are lazy.

> -Set up a security announcement mailing list and recruit people who can
> monitor predefined channels for security issues.

Who pays them?

	-- andreas

http://www.cynapses.org/ - cybernetic synapses

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20071103/a3e50b56/attachment.sig>

More information about the Packman mailing list