Re: [qubes-users] Open sourcing my salt configs

[unman]

On Wed, Mar 03, 2021 at 11:58:41AM +, 'keyandthegate' via qubes-users wrote:
> I've been developing a lot of salt config for myself and I want to start open 
> sourcing it so that I can:
> 
> - Ask for public security review
> - Accept patches
> - Help people use Qubes a little better, when I think Qubes supports 
> anarchistic praxis and is a force of good in the world
> 
> I'm worried about the following things:
> 
> - I lose my security through obscurity, which I don't want to do without the 
> help of at least one non-amateur code reviewer for anything I publish
> 
> - (and I'm not sure if the economics/incentives work out here such that I 
> should be paying someone to help me with this or not)
> - I don't want to publish anything security sensitive without code review 
> because I don't want to harm people
> 
> Additionally, I'm not sure how to package salt config via a .deb package. Are 
> there any existing examples of this?
> 
> As an example of what I want to publish, I've written some config to create a 
> private debian package repo vm powered by a YAML file that lets you specify 
> sources to download packages (e.g. that are hosted as github releases) and 
> verify them via gpg, then provide them to vms. My motivation is towards the 
> goal of being able to destroy and recreate my templates from salt at any 
> time, because salt is not stateless (unlike e.g. nix or bazel), e.g. if you 
> decide to no longer add a package repo, you have to manually remove it from 
> the domain in addition to updating the salt config, and you may forget; being 
> able to recreate templates solves the otherwise almost intractable problem of 
> knowing your templates aren't out of sync; it also means you can exclude 
> templates from backups if you're brave, which can save a lot of space.
> 
> Another example of some code I may want to publish:
> (WARNING: I think this may have a critical security issue of exposing config 
> files to domains they don't belong to, but I'm not sure. Would need to 
> investigate before publishing)
> This fixes TemplateNotFound errors when you try to jinja-include another file 
> within a `file.managed` `template.jinja` file.
> 
> > # MAINTAIN: Removed when fixed: 
> > https://github.com/saltstack/salt/issues/31531
> > 'patch salt issue 31531':
> > cmd.run:
> > - name: |
> > if [[ ! -f "$XDG_DATA_HOME"/patched-salt-31531 ]]; then
> > cat < > sudo sed -i'' "s#if fn_.strip() and fn_.startswith(path):#if fn_.strip() 
> > and (fn_.startswith(path) or path == '/'):#" 
> > /usr/lib/python3/dist-packages/salt/fileclient.py && \
> > if ! grep extra-filerefs /etc/qubes-rpc/qubes.SaltLinuxVM >/dev/null; then 
> > sudo sed -i'' "s#salt-ssh#salt-ssh --extra-filerefs salt:///#" 
> > /etc/qubes-rpc/qubes.SaltLinuxVM; fi
> > CMD
> > fi
> > sudo mkdir -p "$XDG_DATA_HOME" || exit 1
> > sudo touch "$XDG_DATA_HOME"/patched-salt-31531 || exit 1
> 

Great - I love salting Qubes.
There *is* a problem in posting configs unless you are careful, but
generally this can be mitigated by making them as general as possible.
I'd be happy to take a look over what you have: you can get my email
and PGP key from the team page at Qubes.

Packaging - you need to package in an rpm because it will be handled in
dom0 (generally). I generally just package the files, and *not*
automatic execution. This is because I want people to review the files,
and possibly edit them, before executing in dom0.
If you want automatic execution, then it's simply a matter of using a
"post install" execution in the rpm. I don't like this, as stated, but
it's straightforward.

As to publishing, I have some salt on GitHub
(https://www.github.com/unman/shaker) 
Most of the states I publish are simple, in execution if not effect,
because they are teaching aids.
I have been thinking of publishing packages at https://qubes.3isec.org,
alongside the templates and Ubuntu packages that I already offer.
This could be done as an unofficial Qubes salt archive, possibly as a step
toward inclusion of packages in the official Qubes repositories.
If you'd like to take this further, drop me a line.
For general issues, reply to the list.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210304163301.GI17442%40thirdeyesecurity.org.

[qubes-users] Open sourcing my salt configs

['keyandthegate' via qubes-users]

I've been developing a lot of salt config for myself and I want to start open 
sourcing it so that I can:

- Ask for public security review
- Accept patches
- Help people use Qubes a little better, when I think Qubes supports 
anarchistic praxis and is a force of good in the world

I'm worried about the following things:

- I lose my security through obscurity, which I don't want to do without the 
help of at least one non-amateur code reviewer for anything I publish

- (and I'm not sure if the economics/incentives work out here such that I 
should be paying someone to help me with this or not)
- I don't want to publish anything security sensitive without code review 
because I don't want to harm people

Additionally, I'm not sure how to package salt config via a .deb package. Are 
there any existing examples of this?

As an example of what I want to publish, I've written some config to create a 
private debian package repo vm powered by a YAML file that lets you specify 
sources to download packages (e.g. that are hosted as github releases) and 
verify them via gpg, then provide them to vms. My motivation is towards the 
goal of being able to destroy and recreate my templates from salt at any time, 
because salt is not stateless (unlike e.g. nix or bazel), e.g. if you decide to 
no longer add a package repo, you have to manually remove it from the domain in 
addition to updating the salt config, and you may forget; being able to 
recreate templates solves the otherwise almost intractable problem of knowing 
your templates aren't out of sync; it also means you can exclude templates from 
backups if you're brave, which can save a lot of space.

Another example of some code I may want to publish:
(WARNING: I think this may have a critical security issue of exposing config 
files to domains they don't belong to, but I'm not sure. Would need to 
investigate before publishing)
This fixes TemplateNotFound errors when you try to jinja-include another file 
within a `file.managed` `template.jinja` file.

> # MAINTAIN: Removed when fixed: https://github.com/saltstack/salt/issues/31531
> 'patch salt issue 31531':
> cmd.run:
> - name: |
> if [[ ! -f "$XDG_DATA_HOME"/patched-salt-31531 ]]; then
> cat < sudo sed -i'' "s#if fn_.strip() and fn_.startswith(path):#if fn_.strip() and 
> (fn_.startswith(path) or path == '/'):#" 
> /usr/lib/python3/dist-packages/salt/fileclient.py && \
> if ! grep extra-filerefs /etc/qubes-rpc/qubes.SaltLinuxVM >/dev/null; then 
> sudo sed -i'' "s#salt-ssh#salt-ssh --extra-filerefs salt:///#" 
> /etc/qubes-rpc/qubes.SaltLinuxVM; fi
> CMD
> fi
> sudo mkdir -p "$XDG_DATA_HOME" || exit 1
> sudo touch "$XDG_DATA_HOME"/patched-salt-31531 || exit 1

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/NTmFFT8PX6ISKTuoQoqTiNW-F2DglyltdvA9x8wO347GSSL_I4S-c74Mbov1E4USGtpiWIpH39AZ-6lT3zzA9Uym9nxrRtGKGl8t_YsP3oE%3D%40protonmail.com.