Re: Facilitating external repositories

To: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 17 Aug 2015 12:28:34 +0000
Message-id: <[🔎] 20150817122834.GA8347@master.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20150817091508.GA25455@crossbow>
References: <20150727224145.GC19508@grep.be> <[🔎] 20150812231205.GA18738@master.debian.org> <[🔎] 20150813092319.GA22300@crossbow> <[🔎] 20150813174624.GA29114@master.debian.org> <[🔎] 20150815104741.GA19783@crossbow> <[🔎] 20150816120653.GA31888@master.debian.org> <[🔎] 20150817091508.GA25455@crossbow>

On Mon, Aug 17, 2015 at 11:15:08AM +0200, David Kalnischkies wrote:
> On Sun, Aug 16, 2015 at 12:06:53PM +0000, Anthony Towns wrote:
> The user interface improvement might be worth it anyhow, but selling
> this as huge security improvement is just wrong, which is all I am
> against.

I think it's a practical security improvement -- having one point you
can exploit is a lot better than having four points you can exploit. 

But the desired use case is still "grab stuff from someone on the Internet
that I don't know well and give it root permissions on my system",
and I don't think you can make that "secure" in any absolute sense.

If there's any further improvements possible, I can't think of them. :(

> > With extrepos as I describe them, the steps are:
> >  1. You hear about a cool repo from somewhere, and are told to just
> >     get the example-abc123 repo.
> >  2. You run "extrepo add example-abc123", and run apt to install the
> >     packages.

[3. check sigs on the key]

> That should ideally still include 3. as especially with a centralized
> site you are susceptible to end up with bad data stored under a similar
> name, like you do if you trust short keyids for gpg.

Sure. In fact, why should "extrepo add" display that? Is there a web
service that can work out trust paths...?

> That wasn't an "all engines full stop". My initial comment on this was "you
> will *eventually* need to deal with merging in the funky gui tools adding
> sources." (highlight by me).  

Ah, right -- I definitely read that as "all engines full stop". My bad.

> And for the record, I think it is really
> really bad to even suggest that it is okay to ignore warnings. They are
> displayed for a reason – in that case there is a fair chance the user
> meant to configure another source but actually didn't.

Yes, in real use, definitely. I've been kindof focussing on an absolute
minimum viable solution. There are another few bits I've been handwaving
over too for the record:

 - updating a repo (if it needs a new key or new url) is "impossible"
   as far as I've described

 - there's no way to relate repos (jessie vs wheezy base; stable vs
   dev versions; canonical site vs mirror)

 - providing a search function on extrepos.debian.net might be actively
   /harmful/ for security (ie, it'd be hard to avoid malicious repo
   creators being more effective at SEO on extrepos.d.n than legit
   repo creators)

But (as I said to David in person) seems like it's time to have some code
to throw stones at, rather than just list posts now...

Cheers,
aj

Reply to:

References:
- Re: Facilitating external repositories
  - From: Anthony Towns <aj@erisian.com.au>
- Re: Facilitating external repositories
  - From: David Kalnischkies <david@kalnischkies.de>
- Re: Facilitating external repositories
  - From: Anthony Towns <aj@erisian.com.au>
- Re: Facilitating external repositories
  - From: David Kalnischkies <david@kalnischkies.de>
- Re: Facilitating external repositories
  - From: Anthony Towns <aj@erisian.com.au>
- Re: Facilitating external repositories
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Re: libstdc++ follow-up transitions
Next by Date: Re: libstdc++ follow-up transitions
Previous by thread: Re: Facilitating external repositories
Next by thread: Re: Facilitating external repositories
Index(es):
- Date
- Thread