How secure is the openSUSE Build Service?

With the releae of openSUSE 10.3, openSUSE introduced
 '1-Click Install' . However openSUSE only has security support for it's
oss and non-oss repositories.

How great of a security risk is adding third-party repositories which
you can hardly verify ( http://download.opensuse.org/repositories/ )?
What are the risks of getting rootkits and/or security exploits.  

Is openSUSE's approach more risky then Gentoo/FreeBSD which provides
security fixes for all packages in their tree?



--
Regards,

Aniruddha

Hi,

<http://download.opensuse.org/repositories/> Are those really third
party repositories?
As with any third party repository/tree/source the usual caveat apply:
You are on your own.

  Ed

On 10/31/07, Aniruddha <mailing_list@...> wrote:

On Thu, 2007-11-01 at 18:45 +0000, Eduardo Tongson wrote:
> Hi,
>
> <http://download.opensuse.org/repositories/> Are those really third
> party repositories?

Yes those are third-party repositories. Everyone can get an account and
start a repo ( see https://build.opensuse.org/ )

> As with any third party repository/tree/source the usual caveat apply:
> You are on your own.

Does this mean that a distro that doesn't require 3rd party repositories
(Debian/Gentoo/FreeBSD) is safer?


--
Regards,

Aniruddha

Correct.

> Does this mean that a distro that doesn't require 3rd party repositories
> (Debian/Gentoo/FreeBSD) is safer?

Only if you assume *every* upstream developer is honest and/or trust the
integrity of the Debian/Gentoo/FreeBSD servers... Hello rsync! ;-)

Am Freitag 02 November 2007 schrieb Eduardo Tongson:
> Correct.
>
> > Does this mean that a distro that doesn't require 3rd party repositories
> > (Debian/Gentoo/FreeBSD) is safer?
>

On Monday 05 November 2007 11:40:05 pm Thomas wrote:
> Only if you assume *every* upstream developer is honest and/or trust the
> integrity of the Debian/Gentoo/FreeBSD servers... Hello rsync! ;-)
>
I have to disagree. Trusting every upstream developer, and all the admins who
maintain the systems (build farms, download servers, etc.) is clearly
impossible. Both groups are largely unknown to end users.

Far more important is the level of trust you place in the integrity with which
the project is run. If a download server is compromised (which has happened)
are the admins both skilled and forthcoming about fixing the problem, and
communicating what packages might be at risk? Is a software project developer
community careful about how they evaluate patches, do they reliably backport
patches against a development release to their stable release when it's
appropriate, etc.

In general terms, trust isn't binary, but a continuum, and I'd regard a
well-run distribution with no third-party repositories as safer.

> Am Freitag 02 November 2007 schrieb Eduardo Tongson:
> > Correct.
> >
> > > Does this mean that a distro that doesn't require 3rd party
> > > repositories (Debian/Gentoo/FreeBSD) is safer?

Aniruddha was asking which is safer. There is a difference between 3rd
party repositories and official repositories. If you do not trust the
distribution's official repositories your alternative would be Linux
from Scratch and individually checking source tarballs.

On 11/6/07, Thomas <tom@...> wrote:

Am Mittwoch 07 November 2007 schrieb Eduardo Tongson:
> Aniruddha was asking which is safer. There is a difference between 3rd
> party repositories and official repositories. If you do not trust the
> distribution's official repositories your alternative would be Linux
> from Scratch and individually checking source tarballs.

Which is - of course - very impracticable. :)

I think it is *not* less secure. In the case of OSS it doesn't matter
anymore. When you trust several thousands developers around the globe,
hundreds of CVS, SVN, rsync, FTP, HTTP servers used for development and
dozens of distribution then *one* additional layer in the distribution
process doesn't really matter.

It is a matter of trust and not a matter of security.



--
Tom <tom@...>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF

On Tuesday 06 November 2007 10:16:49 pm Thomas wrote:
A matter of trust, not security?!?

That's the most bizarre thing I've heard this week, and it's been a very
strange week. Security is fundamentally about trust, from the very basis of
how we even attempt to build secure systems--cryptographic primitives such as
hash functions.

Go back to fundamentals. What's the purpose of a password? To enable *trust*
that Alice really is Alice.

Ok, initially I did not want to go this far to avoid the discusions about
open-source software and commercial/closed-source software; but...

First I did not talk about technical trust.

We have two choices, the open-source operating system vendors/distributors like
*BSD, Red Hat, SUSE, etc. And on the other side you have commercial vendors like
IBM, Sun, Microsoft, Apple, ...

Some people dislike the policy of a commercial company or it's CxO's or fear
that the government has too much influence on that company. Other do not trust
these hobbyist from all around the globe, maybe some of them are from countries
that are in political/ethical/religious conflict with the country of the user.
Reasons for trust and the lack of it are manifold.

These creates a closed resp. complex situation that has many parts lying in the
dark and a user has to make a choice which is not completely based on facts
but on trust. Who do I trust, the business folks with their neckties and suites
or these guys with the long beards that listen to the same music as I do?
(That is what I meant with trust.)

Another part in this trust model is the crpyto. signature of the distributor,
say SUSE, that is added to each package they ship.
This enables you to verify the integrity of the way of transportation of the
software. This is a security measure because you do not trust the transit of
the packages and can technically verify it.
But this signature also implies that SUSE trusts the OSS developers otherwise
they would not sign their code.
This signature from SUSE or the 3rd party repo.s did not guarantee that the code
that is installed on your system has no backdoors or security bugs. On the other
side developers payed by a company do also not guarantee flawless (neither by
accident or by intention) code.

Did this make the difference clear I want to show?


Greetings.

--
Tom <tom@...>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF