From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29770 invoked by uid 1002); 5 Sep 2003 12:07:49 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 28730 invoked from network); 5 Sep 2003 12:07:49 -0000 From: Jan Krueger Organization: microgalaxy.net To: vapier@gentoo.org, gentoo-dev@gentoo.org Date: Fri, 5 Sep 2003 14:13:17 +0000 User-Agent: KMail/1.5.2 References: <200309050110.44445.jk@microgalaxy.net> <200309050017.47227.vapier@gentoo.org> In-Reply-To: <200309050017.47227.vapier@gentoo.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309051413.17311.jk@microgalaxy.net> Subject: Re: [gentoo-dev] Ports Security X-Archives-Salt: a0a89c10-bd47-4123-8067-260f57e10942 X-Archives-Hash: d088d3fb908ef9f657506d73ad2c5bce On Friday 05 September 2003 04:17, Mike Frysinger wrote: > On Thursday 04 September 2003 21:10, Jan Krueger wrote: > > Hi, > > > > is there a guide like > > http://www.openbsd.org/porting.html#Security > > in progress? available? > > uhh we have gentoo-hardened ... not sure what you're asking about ... I am asking about something like http://www.openbsd.org/porting.html#Security a guide for portage developers how to make sure the things installed are secure. Just like http://www.openbsd.org/porting.html#Security And i am asking about a way for me, the user, administrator, to check the potential security impacts of the software to install before it is put into action. > > Or even better tools bundled in a "esecurity_check": > > putting this in an ebuild to be run everytime a pkg is unpacked is kind of > dumb (no offense meant) ... Thats your point of view. > we have no 'automated' ways for portage to scan > source code looking for potential security issues, nor should there be ... > the responsibility lies on the upstream author and the gentoo maintainer, > and it should stop there ... No, it should not. Site Security doesnt stop at the ebuild maintainer. I, as a potential user of "trusted gentoo", would like to have a way to verify the work of the developer. I might want to use 3rd party ebuilds, commercial ebuilds, special super-hardened ebuild not in normal portage tree, i might have requirement complety different from what the developer thought. And also it is impossible to bring all those ebuild to the high security standard i mention here, so i should have the possibility to verify at emerge time. So, instead of "esecurity_check" it should be a portage feature that i can switch on. After every unpack or even building the image, just before installation, i would like to see what security impacts the package might have in its source or how many suid progs it wants to install or whatever. And if i say so, the ebuild should not install as soon as the scanners detect that the installed software would not conform to my requirements (that i would have to define in make.conf). > perhaps creating tools for developers to use when testing out a new pkg > would be feasible ... Yes, that would be very nice. > then again i think if you want a 'secure' box you > should follow the excellent work the gentoo-hardened team has put together According to whats written on the project side the issue i bring up here is not (yet) covered. a secure box can always be compromised by installing insecure software. So installing secure software (only) should be made easy and verifyable. As portage is responsible for installing software on our gentoo machines it should support us in developing and installing secure software. The feature i bring to discussion here is for sure not the overall solution but a little step in the right direction. It is dumb (no offense meant) to believe the ebuild-maintainer knows about and respects the local Site Security Requirements. It is dumb to believe every administrator or user is a security expert and can audit each software package before installation. Jan > ... -mike -- gentoo-dev@gentoo.org mailing list