[packman] Packman security policy questions

Horst Graffy horst.graffy at arcor.de
Sat Nov 3 22:08:08 CET 2007


Am Samstag, 3. November 2007 schrieb Aniruddha:
> On Sat, 2007-11-03 at 21:20 +0100, Andreas Schneider wrote:
> > Aniruddha wrote:
> > > Actually this is even more easy then it sounds (and I am not a
> > > programmer). It only requires to document some simple rules for package
> > > handling (e.g. that packager should check for malware, and the
> > > monitoring of some standard security bulletins).
> >
> > It is easy? Ok.
> >
> > How should we check a new version of an application/program for malware?
> >
> >
> > 	-- andreas
>
> Let's first define the context
>
> 1 We trust the author of the original package.
> 2 Checking for malware is only to prevent the (very slight chance) that
> $upstream get's hacked and it's packages are modified to provide a
> backdoor (rootkit, trojan).
> 3 We do not want to do a complete source audit, since it's too time
> consuming and probably not necessary.
>
> Now on the the question how to check a new version of an
> application/program for malware. Since I am not a programmer I do not
> not know a lot of screening sourcecode. I did understand however (from
> (people who do know how to program) that a malicious modification should
> be easy to spot. Can you confirm this?
>
> Here are some general ideas
>
> -How can we make sure $upstream arrives untampered? I do think that md5
> of shasum checking is essential in order to verify that a package
> arrives exactly as $upstream provides it.
>
> -Put some kind of scanning (f-prot, kaspersky) software on the Packman
> repo's.
>
> -The expertise and experience of the packagers is also an important
> factor. This experience makes that packagers could potentially see
> faster when something is out of the ordinary.
>
> -Set up a testing branch that people like me can use. I use rkhunter and
> chrootkit and therefor I should be able to spot problems beforehand.
> When no problems have been reported for some while the rpm's can be
> moved to stable.
>
> -Set up a security announcement mailing list and recruit people who can
> monitor predefined channels for security issues.

and from what do you dream at night ?

He man, it's a kind of hobby for us. We invest spare-time. 

It is ONLY your problem if you use those packages in a "professional" 
business. Trust us or don't use our packages....

And don't try to put YOUR workload (you get payed for your business) on us.
YOU wan to sell something to your customers, so it is YOUR job to do this, not 
ours.

have fun
Toni






More information about the Packman mailing list