[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: opposition against clamav-data in debian volatile

On Sun, 20 Sep 2009 18:28:30 -0300, Henrique de Moraes Holschuh
<hmh@debian.org> wrote:
>On Sun, 20 Sep 2009, Marc Haber wrote:
>> As long as you do not expect me to manually sign every single upload,
>
>Why not? 

Because nobody pays me to spend an hour a day to sign packages. We had
three full cycles since I went to bed seven hours ago.

> It is a package, it has root access anywhere it is being installed
>or removed. 

And people know that the package is built automatically. All users I
know especially opted in to using the package instead of freshclam for
some-or-other reason.

>As you said, you'd have
>to jump through a lot of loops to do special validation of that specific
>package before installing it.

... which can be fully automated.

>If it would still address whatever problem space clamav-data wants to fix,
>maybe it would be easier if you created a package-generator package (that
>creates a fresh clamav-data package for the user when, e.g. a
>create-clamav-data command is run).

See clamav-getfiles. The script which build the package is - of course
- packaged. I guess that you didn't even look at whet you're trying to
kill.

>  If someone has network access to fetch
>clamav-data, he also has network access to fetch the signatures, so he could
>run the "create-clamav-data" utility instead...

This assumption is wrong.

>> It would be massively easier if I knew what are the real issues
>
>What jumps immediately to mind is that someone could get a hold of that key,
>and upload a trojan or bomb that will run as root on anyone that installs
>(or removes, whatever) the package.

Not if the key would be limited to clamav-data only and if the archive
would verify whether the new package only differs to some "golden"
package in the actual signatures.

>> That being said, it looks like volatile's policies are going to change
>> BIG TIME when it gets integrated into the main archive, and frankly,
>> as a volatile user, I'd rather see volatile stay separate than seeing
>> some of its previous principles dumped.
>
>Do you have a very secure setup involving two boxes, one of which is fully
>offline and talks to the first one using a safe, restricted, application
>layer link to get the clamav data, and upload the finished package back to
>the first box?

No. The process runs on a virtual machine on a host privately owned
and operated by the previous ftpmaster of Debian volatile, and was
carefully designed in close cooperation with the former Debian
volatile team. It is a real shame that the new Debian volatile team
decided to put up more hoops to jump through after clamav-data was one
of the first packages to be included with Debian volatile.

Oh well, some more motivation to work on Debian going down the drain.
Well done.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: