permissions in cvs and security for our packages (Re: Plan for tomorrows (20070816) FESCO meeting)

Toshio Kuratomi a.badger at gmail.com
Fri Aug 17 18:05:50 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Leemhuis wrote:
> On 17.08.2007 17:50, Toshio Kuratomi wrote:
>> Thorsten Leemhuis wrote:
>> [...]
>> FESCO keeps discussing this [...]
> 
> I got the impression that yesterdays FESCo meeting ended the discussion
> for next few months. I think that's really bad because it's *IMHO*
> (maybe I'm just being over carefully and to frightened here...)
> currently way to easy for a malicious attacker to get bad packages with
> bad code out to the users:
> 
> - put a package up for review
> - get sponsored -- that's still the hardest parts, but not that hard if
> you reply to questions and advices from the reviewer quickly and poke
> the right people
> - watch mailing list and http://fedoraproject.org/wiki/Vacation for
> people being afk for longer time-periods
> - commit something bad to some well known packages which are (1) owned
> by folks being away and (2) without co-maintainers; hit CTRL+C quickly
> when cvs mentions that changes got commit -- if you are fast enough no
> commit mail will get send to the commits-list. Even if one gets send --
> if you are a bit careful (e.g. upload a modified tarball with the
> malicious code) then chances are good none of those few people that take
> a closer look at some the commit-mails on cvs-extras-commits will notice
> something bad(¹)
> - for F6 and devel the bad code will get out to the repo on it's own
> soon and find its way to the users automatically. For F-7 you need to
> get it out through bodhi -- not sure if it checks if the one that pushes
> a package is owning it. If not then the attacker can push his trojan
> horse easily himself. Chances this get noticed will be small as well.
> 
There's a couple responses to this that were brought up during the meeting:

1) Someone wanting to make trouble can make trouble whether they have to
wait for sponsorship or have to wait for sponsorship + waiting for a
period of time/getting ten packages in/etc.  None of the metrics for
advancement so far presented are trust based except sponsorship.

2) Whether it's default open or default closed, individual maintainers
have the option to open or close the acls on their packages.  So simply
closing the default acls doesn't prevent your scenario.  Because of the
large number of packages whose acl is open, it doesn't even do much to
mitigate it.

> Giving all sponsors access by default instead of "all new packagers get
> access to all new packages and round about 2935 out of 4847 packages
> (counted only devel branches and I hope my counting method was correct)"
> would have been the way saner choice IMHO.
> 
We can't do this yet.  We need a plan and someone with time to implement
it.  Until then, the difference between new packages default open and
packages which have already been opened are open is minimal.

There's actually two tickets in the packagedb which can help address this:
#28 https://hosted.fedoraproject.org/projects/packagedb/ticket/28 --
Long term plan to make changes to allow different acls for sponsors and
leveled contributor access.

#11 https://hosted.fedoraproject.org/projects/packagedb/ticket/11 --
Make an API for Bodhi so that Bodhi can enforce ownership on who is
allowed to push.  This needs to be followed by changes to Bodhi to make
that happen.

If you'd like to help in planning, then contribute to #28.  If you'd
like to contribute some code, jump into #11!

- -Toshio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGxeN9X6yAic2E7kgRAkd2AKCNwdEWjdYtQAT0QJdodyqY4qbrPQCfclQi
lT/90Gp9o0xWZDBHpOR2VNA=
=Y2Mg
-----END PGP SIGNATURE-----




More information about the fedora-devel-list mailing list