Fwd: Re: [BuildStream] Add setting to disallow insecure transports

Tue, 30 Jun 2020 05:41:57 -0700

So is it agreed when we will ban http, ftp, and git if its set in project.conf to only allow secure downloads? Also how do we want to deal with GPG, or can that come at a later date? 

-------- Forwarded Message --------
Subject:        Re: [BuildStream] Add setting to disallow insecure transports
Date:   Thu, 25 Jun 2020 19:49:36 +0200
From:   Sander Striker via buildstream-list <[email protected]>
Reply-To:       Sander Striker <[email protected]>
To:     Michael Catanzaro <[email protected]>
CC:     BuildStream <[email protected]>




On Thu, Jun 25, 2020 at 4:58 PM Michael Catanzaro <[email protected] 
<mailto:[email protected]>> wrote:


[...]

   The use case is that I keep discovering elements in gnome-build-meta
   that use http://. I just counted and we have 12 currently, all of which
   must have snuck in since the last time I checked for them. Because we
   don't have project.refs on the master branch, that means any MITM
   attacker between the build server and the server that hosts the tarball
   can trivially replace the tarball with arbitrary malicious content and
   we would never notice. This is quite easy for a skilled attacker to do,
   e.g. with a BGP attack. Without project.refs or refs pinned in the
   file, we don't notice and will happily include the malicious content in
   the new runtime.

   http:// plus GPG could theoretically be secure, but that requires
   significant effort to set up and I really don't care. There is zero
   excuse for not using https:// in 2020. The safest approach is to
   completely ban it from the GNOME runtime (and freedesktop-sdk).
   Similarly, ftp:// and git:// also need to be banned. If we have
   projects that cannot be downloaded safely from upstream, we can rehost
   them.



Absent a feature in BuildStream currently, would it be a suggestion to 
add a validation hook on the git repository that rejects definitions 
that have the url pattern you wish to ban?


Cheers,

Sander

   Michael


   _______________________________________________
   buildstream-list mailing list
   [email protected] <mailto:[email protected]>
   https://mail.gnome.org/mailman/listinfo/buildstream-list


_______________________________________________
buildstream-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/buildstream-list























					Reply via email to