Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Checks source code goes though before added to repository?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Lechium
Apprentice
Apprentice


Joined: 04 Apr 2005
Posts: 244

PostPosted: Tue Nov 08, 2005 8:08 pm    Post subject: Checks source code goes though before added to repository? Reply with quote

Hi,

I am curious of what kind of checks and tests does source code go though before it is added to the repository?

Let me elaborate. Say I am a part of a small project working on say a gui text editor for config files, or something like that. The project has to be compiles (emerged) and ran with root permissions (it edits config files after all). At that if I hide any malicious code to it (i.e. make it run 'rm -fr /bin' on 20th use, or such) it can slaughter users system. Yeah, at that point my name is ruined, and I'm blacklisted, but still I had caused massive damage to (potentially) many computers. And what if someone from my team snuck it in without me knowing, or it was a virus that got attacjed to it somehow, etc etc etc.

Point I am trying to make is that average Gentoo user puts a lot of trust into his packages being clean of malware. What kind of steps does Gentoo development comunity takes to make sure that few assholes will not take advantage of this trust?

wbr,
Victor
Back to top
View user's profile Send private message
alistair
Retired Dev
Retired Dev


Joined: 15 Jul 2005
Posts: 869

PostPosted: Tue Nov 08, 2005 8:58 pm    Post subject: Reply with quote

Trojaned Compilers = Backdoored Binaries

I suppose this could be the biggest security issue with opensource. How do u know that the compiler on the live cd you used didnt add backdoors thru every program it compiled. Even if you had the source code for the compiler (or believed you did) u still couldn't confirm that the source code is exactly the same as the compiled compilers orginal source code.


ps. Would it be funny if someone at Microsoft did this to their kernel compiler
Back to top
View user's profile Send private message
Genone
Retired Dev
Retired Dev


Joined: 14 Mar 2003
Posts: 9608
Location: beyond the rim

PostPosted: Wed Nov 09, 2005 6:49 am    Post subject: Re: Checks source code goes though before added to repositor Reply with quote

Lechium wrote:
Point I am trying to make is that average Gentoo user puts a lot of trust into his packages being clean of malware.

As does every other Computer user, or can you be sure that Windows/Solaris/Debian/... don't contain malware?
Unless you review the code yourself (which most people aren't capable of) you're always completely trusting your vendor.
Back to top
View user's profile Send private message
Sven Vermeulen
Retired Dev
Retired Dev


Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium

PostPosted: Wed Nov 09, 2005 8:00 am    Post subject: Reply with quote

Gentoo uses the project's source code. The security team can perform audits, but this happens when there is ground for such an audit, not randomly.

There is always a chance that the project's source code is malicious, in which case the Gentoo installed software will be malicious as well. However, if the jack-I-want-to-destroy-the-world code is added after we made the ebuild, Portage will find that the code has been altered. This is a security mechanism to protect users from malicious mirrors and such.

If you don't use ~arch, chances are that such code is discovered before it hits stable :)
_________________
Please add "[solved]" to the initial topic title when it is solved.
Back to top
View user's profile Send private message
omp
Retired Dev
Retired Dev


Joined: 10 Sep 2005
Posts: 1018
Location: Glendale, California

PostPosted: Thu Nov 10, 2005 12:08 am    Post subject: Reply with quote

Sven Vermeulen wrote:
If you don't use ~arch, chances are that such code is discovered before it hits stable :)


That quote is going to scare a lot of people from having ~arch in make.conf :?
_________________
meow.
Back to top
View user's profile Send private message
codergeek42
Bodhisattva
Bodhisattva


Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)

PostPosted: Thu Nov 10, 2005 12:11 am    Post subject: Reply with quote

omp wrote:
Sven Vermeulen wrote:
If you don't use ~arch, chances are that such code is discovered before it hits stable :)


That quote is going to scare a lot of people from having ~arch in make.conf :?
I'm not scared. :D
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF
Back to top
View user's profile Send private message
BlackEdder
Advocate
Advocate


Joined: 26 Apr 2004
Posts: 2588
Location: Dutch enclave in Egham, UK

PostPosted: Thu Nov 10, 2005 12:13 am    Post subject: Reply with quote

codergeek42 wrote:
I'm not scared. :D
Yeah, but you are weird :roll:
Back to top
View user's profile Send private message
codergeek42
Bodhisattva
Bodhisattva


Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)

PostPosted: Thu Nov 10, 2005 12:18 am    Post subject: Reply with quote

BlackEdder wrote:
codergeek42 wrote:
I'm not scared. :D
Yeah, but you are weird :roll:
Thank you. :)
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF
Back to top
View user's profile Send private message
Sven Vermeulen
Retired Dev
Retired Dev


Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium

PostPosted: Thu Nov 10, 2005 10:40 am    Post subject: Reply with quote

omp wrote:

That quote is going to scare a lot of people from having ~arch in make.conf :?


I hope it does. Some people forget that packages who have security vulnerabilities in ~arch will not receive a GLSA (Gentoo Linux Security Advisory), it will just be updated (the fix goes in, but you're not informed about it).
_________________
Please add "[solved]" to the initial topic title when it is solved.
Back to top
View user's profile Send private message
playfool
l33t
l33t


Joined: 01 Jun 2004
Posts: 688
Location: Århus, Denmark

PostPosted: Thu Nov 10, 2005 11:18 am    Post subject: Reply with quote

If you insert bad code in an open source project and it's discovered the fix is simple - we dispatch ESR with his huge gun collection to set an example.
Back to top
View user's profile Send private message
EzInKy
Veteran
Veteran


Joined: 11 Oct 2002
Posts: 1742
Location: Kentucky

PostPosted: Thu Nov 10, 2005 11:27 am    Post subject: Reply with quote

Sven Vermeulen wrote:

I hope it does. Some people forget that packages who have security vulnerabilities in ~arch will not receive a GLSA (Gentoo Linux Security Advisory), it will just be updated (the fix goes in, but you're not informed about it).


Of course it's a risk, but if nobody used "~arch" new software would never be sufficiently tested. Still, I keep a backup installation on a seperate drive just in case B-).
_________________
Time is what keeps everything from happening all at once.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum