[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 1.0 issues: Packaging (esp. source)

Ian Jackson said:

> Supposing I don't trust anything.  How am I to examine the source
> package ?  For example, I might like to unpack it and do a diff
> against a source tree I have checked more thoroughly.
> [...]
> If I have a packaging format that I can extract using a standard tool
> that I know doesn't `execute' the contents of the archive then common
> sense says that I'm not putting much more at risk than the target
> directory of the unpack.
> I shouldn't need to get into verifying the authenticity of packages
> and using PGP keys and what not just to *unpack* an archive !
> Likewise, I shouldn't need to drag half a dozen people into my trust
> envelope just to look at a pile of source code.

"Andrew D. Fernandes" <adfernan@cnd.mcgill.ca> said:

> I *strongly* **strongly** agree with this. A short while ago, I was
> playing with some shell script installers for a tex package... the
> damn thing blasted away my personal ~/local/bin without a thought!

Ian that says we shouldn't preclude paranoia.  Andrew makes the case that
paranoia can be a good thing, citing an example which caused him problems
because of insufficient paranoia.

Leaving aside the question of malicious intent (PGP security on uploads
is eventually supposed to screen out all but those considered trustable
to be without malicious intent, as I understand it), we're talking mainly
about executing src-package unpacking and debianizing shell scripts which
were written by (some unacceptably large number of) others and may have
been written without sufficient thought by those others.  A mistake, or a
system-specific assumption, on the script-writer's part can cause problems
for the person executing the script on a different system.

It seems to me that the paranoid can unpack source packages in a clean
directory as an ordinary user.  That ought to insulate them from most
of the potential damage.

It also seems to me that we already accept essentially this exact
same problem with binary package pre- and post- scripts.  In fact, the
problem in that case is much worse, since those scripts are always
executed as root.

The seriously paranoid can manually extract the binary package control
components, of course, and examine the scripts before installing the
package.  This same option would be available to the seriously paraniod
with regard to internal source package scripts used for unpacking and
debianizing the sources they contain.

Hmmmmmm......  Just unpacking the package tarfiles as root in the process
of binary package installation can be dangerous.  Wasn't there a package
floating around for a while which would clobber /etc/passwd by unpacking
over it if the package was installed, and a base.deb version which installed
a /sbin/unconfigured.sh script -- causing system to think it had not yet
been configured on reboots following installation of that package,?
 Of course, the seriously paranoid can always carefully investigate
binary package contents before installing a binary package as well.

The bottom line, I guess, is that I see less serious potential problems with
the proposed source package scripts than I see with the already accepted
and widely used binary package mechanisms.  If we're to be paranoid, it
seems to me that we ought to direct our paranoia to binary packages
before source packages, because of the relative ease with which potential
damage from unpacking source packages can be minimized as compared with
the difficulty of minimizing the potential damage from installing binary

Reply to: