From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F3065138334 for ; Mon, 4 Feb 2019 17:06:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6E334E0BD0; Mon, 4 Feb 2019 17:06:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 17DF0E0BBE for ; Mon, 4 Feb 2019 17:06:47 +0000 (UTC) Received: from [IPv6:2607:fea8:e3df:d300:c03:c9cb:fe43:24b6] (unknown [IPv6:2607:fea8:e3df:d300:c03:c9cb:fe43:24b6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: axs) by smtp.gentoo.org (Postfix) with ESMTPSA id 56843335DA8 for ; Mon, 4 Feb 2019 17:06:46 +0000 (UTC) Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] To: gentoo-project@lists.gentoo.org References: <1549222129.929.25.camel@gentoo.org> <20190204115813.7382eb4d@gentoo.org> <1549286908.893.5.camel@gentoo.org> <20190204144828.2c2398e8@gentoo.org> <1549288480.893.7.camel@gentoo.org> <20190204150448.0af917bf@gentoo.org> <1549289616.893.18.camel@gentoo.org> <20190204153543.65d9c72b@gentoo.org> <20190204160930.18fe2c56@gentoo.org> From: Ian Stakenvicius Openpgp: id=0DBBD5052053DFBA9C90F0305634AD8719450FBA Autocrypt: addr=axs@gentoo.org; prefer-encrypt=mutual; keydata= xsBNBFtHc7cBCACxN00hVr3WJj5xHbfcQVw9XbVajSl4Xdw4QpXPLVQlTwQTeIghRyV9u25e ZDJYjLbNnnyzj/A7HVXWqyHydylDXCyYXaaujCN1pDzYIkTWzfW70ytihHJKwV52esoCskoQ m9gn4DI7ksOmpp53uoKDx8eKRLTF9XFbgkYZv2srnkFvErYd060h2mIL6kDNzjP0VCfLRQ06 lodUqPE8Cbl1MZddjySGHuNu+zvmPcCbm2jbFjrPcDRFh7N+8GjnZOd71ArNItewjs6wdREU qJMqydtkhQgsUMC6h7s8H63Djyd+be1FNrbURDWqMrcP1zJKyYynvMXm0Srd20kzBOnLABEB AAHNKUlhbiBTdGFrZW52aWNpdXMgKF9BeFNfKSA8YXhzQGdlbnRvby5vcmc+wsCUBBMBCgA+ FiEEDbvVBSBT37qckPAwVjSthxlFD7oFAltHc7cCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgID AQACHgECF4AACgkQVjSthxlFD7r4iwf/QWDAHs079NL3IL/RrXa4M8VRVg2kg7KZC28Qm2Gh Q5hc5jG8uut89vGVAmSOMiABbDwc5OYi+RCcg2a2rZhtbCPiFboNITS4UHf3b8ECKXOGet3+ YilaZeaVd1ElUPf8vpKfwA8JjhTlADAwlLBo7UbpWgiuFL3puvM5v2Gi22/TsZubZOZuethf v1OZ//rXHQ42APIdMdRB6+iPmphzC+DshUqcT+ltNtr80IlABdDxTz5WTNczT0GdQ0holTCU SynugOFdUTZ6Pku1KvLO2+aesHyABZc5t86l4e5y/MoYiZiLpi3RaydBfaTbGdVynh8QA9X+ px5cIWr0P39ng87ATQRbR3O3AQgAq2+D0gisXhRwnUAoqfWuj08lCTZfdnTRJD7dJQ9+0Ecs dxUypdrkIOiOW7eL9aI/WZYdvpfICBZuTMMq1kWk1RhDqmGPiXWhoFw5Zr2v16UCvwRlGRaK aNAYXykqMAX/o1mZMxSbQ7fZIqdLkaAa/eHTPLzWKEZT2mfMBLPCOV08sc9mPKGbV9FElNeQ zLWrLYW+vattAPt7Spf/5mJHM1xuJEU1GgMaXvV5DzBmwjnL+JuYUyCoCOxh2HsJHNo3BpcG bAQBEzCq/siYGN8B88uH9x1+IbimMtkgZeJ3DNARLD8aXOq7JchDbWASTXAYEu9hNGJzexTL 2UEoq96fWQARAQABwsB8BBgBCgAmFiEEDbvVBSBT37qckPAwVjSthxlFD7oFAltHc7cCGwwF CQPCZwAACgkQVjSthxlFD7rnrAf+PcKQA2zQUSytttogNSY+t/2jwbD2d2H45Ma6fxXVVSKX 0ZnZu1lNYmlNscOP1m9ExgV82Y86Hba/jSWS6mflwiULSbaUISCGcuth7h44TcL7e9YZTQsa Va6WP4y/Ravs9Be6/7nJWnqxGDf3Ma0Lz/N4ms8hqvaw/+h4csAkq95IhdqJhMAQYZwyETUe yg6TxlN7wO6qRLGRO6dBkcJYmyQAcyd+XxHLQY2OaYIqtrRFpN17+L2WGZUvTtNKougqAmsA WDmNcZII3QrYzfQzkp9YQoqWwfYx9R75MTi7i1g+YxVvgP2sQTNls8Yrd2HD2Wj+G3hl3Wbx fNeHpaNDzg== Message-ID: <5ad9da44-3596-c3ce-aa58-e2f56f90dfad@gentoo.org> Date: Mon, 4 Feb 2019 12:06:35 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <20190204160930.18fe2c56@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HNxaSUQLj0HbJYyTUxOnA45fgzjNvo6fS" X-Archives-Salt: 1760cfa1-3518-4c51-91ef-9b58e0ab9f36 X-Archives-Hash: 261c1555b7fd5970d24103b1ffd01aed This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HNxaSUQLj0HbJYyTUxOnA45fgzjNvo6fS Content-Type: multipart/mixed; boundary="FJDDfG5ChOVX1FrUpOBc2nAqOEaSVqzGO"; protected-headers="v1" From: Ian Stakenvicius To: gentoo-project@lists.gentoo.org Message-ID: <5ad9da44-3596-c3ce-aa58-e2f56f90dfad@gentoo.org> Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] References: <1549222129.929.25.camel@gentoo.org> <20190204115813.7382eb4d@gentoo.org> <1549286908.893.5.camel@gentoo.org> <20190204144828.2c2398e8@gentoo.org> <1549288480.893.7.camel@gentoo.org> <20190204150448.0af917bf@gentoo.org> <1549289616.893.18.camel@gentoo.org> <20190204153543.65d9c72b@gentoo.org> <20190204160930.18fe2c56@gentoo.org> In-Reply-To: <20190204160930.18fe2c56@gentoo.org> --FJDDfG5ChOVX1FrUpOBc2nAqOEaSVqzGO Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2019-02-04 10:09 a.m., Alexis Ballier wrote: > On Mon, 4 Feb 2019 09:43:53 -0500 > Rich Freeman wrote: >=20 >> On Mon, Feb 4, 2019 at 9:35 AM Alexis Ballier >> wrote: >>> >>> On Mon, 04 Feb 2019 15:13:36 +0100 >>> Micha=C5=82 G=C3=B3rny wrote: >>> >>>> 2. By design, postinst is run with full privileges. It is meant >>>> to allow ebuilds to run stuff, as root. >>> >>> And that is precisely that kind of design that makes it hard or >>> unrealistic to have unreviewed global repositories. >>> >> >> Unless you're doing something like per-app sandboxes at runtime fixing= >> this is just shifting the problem elsewhere. >> >> Ok, so the package can't run stuff at root at time of install. But, >> it can drop whatever shell script it wants into /etc/cron.hourly, or >> enable some service by default. Or it can stick something in the >> default shell profile. Or it can install /sbin/bash which is ahead of= >> /bin/bash in PATH, or whatever. >> >> If malware is recognized as a legitimate package by your package >> manager, you've basically already lost, at least in the typical >> linux/unix-like access control model. Now, if you're doing >> unconventional things like android does with uids or putting 3 layers >> of SELinux on top of everything then you can have more defense in >> depth. But, that also requires sandboxing your package manager so >> that it can't tamper with ALL of your security. >> >> As mgorny has already pointed out, you can't just sandbox package >> phases to fix the problem. I think sandboxing your build system is a >> great way to improve build system QA in general, but it doesn't solve >> intrusion. >> >=20 >=20 > Ok, so the claim here is that installing is more or less the same as > running wrt malicious code. Fine. >=20 > Now, I want to install an ebuild from that overlay: I review said > ebuild, seems fine, so I add & enable the overlay. Except, someone just= > pushed a malicious app-shells/bash running malicious code at global > scope. Last I checked portage will source it and in the best case > output a warning about running commands at global scope. I am now pwned= =2E >=20 All of this doesn't even get to the much more common issue we are going to face, which is simply that these ebuilds and packages are more often than not going to be outright broken. The sunrise project had a big barrier to entry for a lot of folks because of the review process that enforced ebuild structure and quality well above what repoman can do. So forgetting about someone actively deciding to rootkit a bunch of folks, what're we going to do about the ebuilds that are going to break everyone's deptree resolution, or have a ton of automagic deps that cause havoc on the next -uDN ? Even if we do a two-layer repo where the 'public' one is only rolled forward when a gentoo-ci run passes cleanly, that only fixes so much AND it'll cause the project to stall when nobody bothers to fix the blockages. I assume we aren't to the point where gentoo-ci runs on every individual commit and then kicks out the one(s) that fail while rebasing to test and accept others... --FJDDfG5ChOVX1FrUpOBc2nAqOEaSVqzGO-- --HNxaSUQLj0HbJYyTUxOnA45fgzjNvo6fS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEaPjev+yiDUfSQ4PTLZo3Ty1AD+EFAlxYcSNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY4 RjhERUJGRUNBMjBENDdEMjQzODNEMzJEOUEzNzRGMkQ0MDBGRTEACgkQLZo3Ty1A D+Gc8Qf+JU5lORtOl/gPK9yiDs/+s2iuh5GCrKO3+CVFCo0cY3H89upni3MIYyGe Y4o08jrWNmmujaYwt+Pe6Es0uRUSEEvOigOBwC3hkvIDBm71sn835R5RfFCB3zTT RJrwCrVJ192vC5oRMkGDJyGnEXVZT1IdUP/uWjmdMzpDBQ/Al1AmQvF3blNcecf8 Da0/9n/d1Iw8MMCGdpT7xS8LGzcrsiROKK5I7aGknWZRSUPql/NplzBqL4hXo607 ZK3U9WW0uZhkBQIaGNTAkCZf/MLy9ndxtfmhkxwoxoJJTX6kUtLcruzgYBDtAToN PSGlXFL0cPIj+GLZvoJJ98MvKde/2w== =M8h3 -----END PGP SIGNATURE----- --HNxaSUQLj0HbJYyTUxOnA45fgzjNvo6fS--