View previous topic :: View next topic |
Author |
Message |
Lechium Apprentice
Joined: 04 Apr 2005 Posts: 244
|
Posted: Tue Nov 08, 2005 8:08 pm Post subject: Checks source code goes though before added to repository? |
|
|
Hi,
I am curious of what kind of checks and tests does source code go though before it is added to the repository?
Let me elaborate. Say I am a part of a small project working on say a gui text editor for config files, or something like that. The project has to be compiles (emerged) and ran with root permissions (it edits config files after all). At that if I hide any malicious code to it (i.e. make it run 'rm -fr /bin' on 20th use, or such) it can slaughter users system. Yeah, at that point my name is ruined, and I'm blacklisted, but still I had caused massive damage to (potentially) many computers. And what if someone from my team snuck it in without me knowing, or it was a virus that got attacjed to it somehow, etc etc etc.
Point I am trying to make is that average Gentoo user puts a lot of trust into his packages being clean of malware. What kind of steps does Gentoo development comunity takes to make sure that few assholes will not take advantage of this trust?
wbr,
Victor |
|
Back to top |
|
|
alistair Retired Dev
Joined: 15 Jul 2005 Posts: 869
|
Posted: Tue Nov 08, 2005 8:58 pm Post subject: |
|
|
Trojaned Compilers = Backdoored Binaries
I suppose this could be the biggest security issue with opensource. How do u know that the compiler on the live cd you used didnt add backdoors thru every program it compiled. Even if you had the source code for the compiler (or believed you did) u still couldn't confirm that the source code is exactly the same as the compiled compilers orginal source code.
ps. Would it be funny if someone at Microsoft did this to their kernel compiler |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9611 Location: beyond the rim
|
Posted: Wed Nov 09, 2005 6:49 am Post subject: Re: Checks source code goes though before added to repositor |
|
|
Lechium wrote: | Point I am trying to make is that average Gentoo user puts a lot of trust into his packages being clean of malware. |
As does every other Computer user, or can you be sure that Windows/Solaris/Debian/... don't contain malware?
Unless you review the code yourself (which most people aren't capable of) you're always completely trusting your vendor. |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Wed Nov 09, 2005 8:00 am Post subject: |
|
|
Gentoo uses the project's source code. The security team can perform audits, but this happens when there is ground for such an audit, not randomly.
There is always a chance that the project's source code is malicious, in which case the Gentoo installed software will be malicious as well. However, if the jack-I-want-to-destroy-the-world code is added after we made the ebuild, Portage will find that the code has been altered. This is a security mechanism to protect users from malicious mirrors and such.
If you don't use ~arch, chances are that such code is discovered before it hits stable _________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
omp Retired Dev
Joined: 10 Sep 2005 Posts: 1018 Location: Glendale, California
|
Posted: Thu Nov 10, 2005 12:08 am Post subject: |
|
|
Sven Vermeulen wrote: | If you don't use ~arch, chances are that such code is discovered before it hits stable |
That quote is going to scare a lot of people from having ~arch in make.conf _________________ meow. |
|
Back to top |
|
|
codergeek42 Bodhisattva
Joined: 05 Apr 2004 Posts: 5142 Location: Anaheim, CA (USA)
|
Posted: Thu Nov 10, 2005 12:11 am Post subject: |
|
|
omp wrote: | Sven Vermeulen wrote: | If you don't use ~arch, chances are that such code is discovered before it hits stable |
That quote is going to scare a lot of people from having ~arch in make.conf | I'm not scared. _________________ ~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
Back to top |
|
|
BlackEdder Advocate
Joined: 26 Apr 2004 Posts: 2588 Location: Dutch enclave in Egham, UK
|
Posted: Thu Nov 10, 2005 12:13 am Post subject: |
|
|
codergeek42 wrote: | I'm not scared. | Yeah, but you are weird |
|
Back to top |
|
|
codergeek42 Bodhisattva
Joined: 05 Apr 2004 Posts: 5142 Location: Anaheim, CA (USA)
|
Posted: Thu Nov 10, 2005 12:18 am Post subject: |
|
|
BlackEdder wrote: | codergeek42 wrote: | I'm not scared. | Yeah, but you are weird | Thank you. _________________ ~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Thu Nov 10, 2005 10:40 am Post subject: |
|
|
omp wrote: |
That quote is going to scare a lot of people from having ~arch in make.conf
|
I hope it does. Some people forget that packages who have security vulnerabilities in ~arch will not receive a GLSA (Gentoo Linux Security Advisory), it will just be updated (the fix goes in, but you're not informed about it). _________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
playfool l33t
Joined: 01 Jun 2004 Posts: 688 Location: Ã
rhus, Denmark
|
Posted: Thu Nov 10, 2005 11:18 am Post subject: |
|
|
If you insert bad code in an open source project and it's discovered the fix is simple - we dispatch ESR with his huge gun collection to set an example. |
|
Back to top |
|
|
EzInKy Veteran
Joined: 11 Oct 2002 Posts: 1742 Location: Kentucky
|
Posted: Thu Nov 10, 2005 11:27 am Post subject: |
|
|
Sven Vermeulen wrote: |
I hope it does. Some people forget that packages who have security vulnerabilities in ~arch will not receive a GLSA (Gentoo Linux Security Advisory), it will just be updated (the fix goes in, but you're not informed about it). |
Of course it's a risk, but if nobody used "~arch" new software would never be sufficiently tested. Still, I keep a backup installation on a seperate drive just in case B-). _________________ Time is what keeps everything from happening all at once. |
|
Back to top |
|
|
|