Re: pkgng package repository tracking security updates
On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman matt...@freebsd.orgwrote: On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew I'd trust this system as far as I trust port maintainers right now. I understand that a port maintainer can submit arbitrary MASTER_SITES in a port Makefile which allows the maintainer to inject malware as they wish. If I trust the port maintainer to make me download and build something coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random picks, no offense intended), then I'd trust that maintainer to upload the package for me or submit a SHA256 hash that the correct package must have. So if somebody else were to build the package, the server would accept the upload only if it matches the hash. Am I overlooking something? Is there some kind of port verification by someone from the team prior to accepting the port submission? -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
n j nin...@gmail.com writes: On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman matt...@freebsd.orgwrote: On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew I'd trust this system as far as I trust port maintainers right now. Well, almost. It would have to be cryptographically validated, which would be a bit of work to get right. I understand that a port maintainer can submit arbitrary MASTER_SITES in a port Makefile which allows the maintainer to inject malware as they wish. If I trust the port maintainer to make me download and build something coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random picks, no offense intended), then I'd trust that maintainer to upload the package for me or submit a SHA256 hash that the correct package must have. So if somebody else were to build the package, the server would accept the upload only if it matches the hash. It's easier to sneak something into a binary than a source code package, although you can never be *completely* sure either way (c.f., Ken Thompson's classic speech Reflections on Trusting Trust). In practice, some amount of subterfuge would be required for the attacker to keep from being found out too soon to do much good; possibly quite a lot of subterfuge, if the port gets run on TrustedBSD systems or other forms of system auditing. Once anyone notices a problem, the port will be shut down quickly. Am I overlooking something? Is there some kind of port verification by someone from the team prior to accepting the port submission? Well, a committer has to check the port in personally, but deliberate sabotage could probably sneak by the committer most of the time. - Lowell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pkgng package repository tracking security updates
Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 1/14/2013 1:07 PM, n j wrote: Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, Hi Nino, I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. Regards, Andrei ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 14/01/2013 13:10, Andrei Brezan wrote: I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. No, that's not *the* goal for pkgng. The goal is to provide a state-of-the-art binary package management system for FreeBSD (and anyone else who would like to use it). For many users this will entail downloading pre-compiled packages from FreeBSD official repositories. But it will be possible for third parties to set up their own repositories, in the same way that eg. the Postgresql project has their own Yum repositories for RH-alikes. It will also be possible for people to compile their own packages either for direct installation, or to create their own private repositories to serve their own networks with their custom configured packages. And, ideally, people will be able to use a *mix* of the above as best suits their needs. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 2:10 PM, Andrei Brezan andrei...@gmail.com wrote: On 1/14/2013 1:07 PM, n j wrote: Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/**2012-08-31.using-pkgng-in-** real-life.htmlhttp://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, Hi Nino, I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. Regards, Andrei Hi Andrei, ports system is not going away with pkgng and it is still there for everyone who, like yourself, appreciates choosing all configure options and compile it by hand. I know that I'm not the only one who appreciates the practicality of binary packages and that is why I'm wondering if there are any plans for supplying the packages on a more consistent basis. I do understand that the infrastructure is limited and this might be cumbersome, but Linux distributions are doing it and while the same model probably isn't applicable to the smaller FreeBSD community, there are ways around that - building new versions only when (major?) security issues are identified, doing it for a limited scope of (most commonly used?) packages, using some kind of distributed hosting (e.g. torrents with maintainer-uploaded digital signatures) and so on. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 3:15 PM, Matthew Seaman matt...@freebsd.org wrote: On 14/01/2013 13:10, Andrei Brezan wrote: I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. No, that's not *the* goal for pkgng. The goal is to provide a state-of-the-art binary package management system for FreeBSD (and anyone else who would like to use it). For many users this will entail downloading pre-compiled packages from FreeBSD official repositories. But it will be possible for third parties to set up their own repositories, in the same way that eg. the Postgresql project has their own Yum repositories for RH-alikes. It will also be possible for people to compile their own packages either for direct installation, or to create their own private repositories to serve their own networks with their custom configured packages. And, ideally, people will be able to use a *mix* of the above as best suits their needs. Cheers, Matthew Hi Matthew, The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 14/01/2013 14:36, n j wrote: The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Yes, there will be a pkgng package building cluster which will track updates to the ports and provide as up-to-date a collection of packages as possible for at least x86, amd64 on all supporter FreeBSD branches and head. Possibly other architectures as well. However, as all that is still under construction (and construction plans have been heavily revised in the light of the earlier security compromise) I have no good idea of what sort of turn-around will be possible. I expect at least as good as the old pkg build cluster managed and probably better. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matt...@infracaninophile.co.uk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 3:43 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 14/01/2013 14:36, n j wrote: The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Yes, there will be a pkgng package building cluster which will track updates to the ports and provide as up-to-date a collection of packages as possible for at least x86, amd64 on all supporter FreeBSD branches and head. Possibly other architectures as well. However, as all that is still under construction (and construction plans have been heavily revised in the light of the earlier security compromise) I have no good idea of what sort of turn-around will be possible. I expect at least as good as the old pkg build cluster managed and probably better. Cheers, Matthew Thanks, that's encouraging news. One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org