[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Wed, Dec 03, 2003 at 06:50:09AM +0100, Goswin von Brederlow wrote:
> Bernd Eckenfels <lists@lina.inka.de> writes:
> > How often has this person glance over the results? As I understand debian
> > build daemons run unattended and build continously. Correct me when I am wrong here.
> > 
> > But if I asume righ, I dont want to lose that processing speed, especially
> > since it can be easyly compensated with "3rd party" timestamps.
> In theory every build log is read. In praxis I believe all buildd
> admins scroll through the log and look for some obvious signs of
> errors before signing. I don't expect them to read a 17 MB logfile
> line by line for example.

Well, actually...

All failed logs are examined to find the cause of the failure and to
decide on further action.

All successful logs get their .changes extracted, signed, and mailed
back. This is often done semi-automatically; in my case, this script is

cat $1 > ~/buildd/orig
cat $1 | sed -e '9,/\.changes\:$/d' -e '/^\*/,$d' > ~/buildd/changes
cat ~/buildd/changes > $1

together with some mutt hooks that allow me to just hit "ryd" for as
many successful logs in my mailbox (and my gpg passphrase on the first
one). IOW, I don't really look at successful messages anymore; if a
build succeeds, it is assumed to be OK (which is why running regression
tests at deb build time is a good idea, and should be done if at all

They do run mostly unattended, and do build continuously; it's just so
that as-of-yet unsigned packages are put in ~buildd/build instead of
~buildd/upload (they're moved once the signed .changes arrives by mail)

> But even without reading having an actual person handling the signing
> has advantages. In case a buildd is compromised the signing still
> isn't. The attacker can't start and upload 500 backdoor packages
> pretending to be something else without raising red flags.  Also
> failures in the buildd behaviour have to be cought, like building
> empty debs all of a sudden. A quick glance at the package contents
> listed in the build log will detect that.

Even considering the above, this is still true. We keep an eye on our
systems; maintaining an autobuilder is more than just handling its logs.

I regularly have to log in to both machines to fix some issue (once
every week at least); if something "weird" is going on, I'll find out
then. Also, I get logs of all sorts mailed back on a daily and weekly
basis. Those logs I do examine conspiciously.

Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.

Attachment: signature.asc
Description: Digital signature

Reply to: