[indiana-discuss] [desktop-discuss] [sw-porters-discuss] contrib and pending repo processes

Tue Nov 18 14:08:00 PST 2008

On 18-Nov-08, at 2:03 PM, Shawn Walker wrote:

> John Sonnenschein wrote:
>> On 18-Nov-08, at 1:40 PM, Shawn Walker wrote:
>>> John Sonnenschein wrote:
>>>> On 18-Nov-08, at 1:37 PM, Jim Walker wrote:
>>>>> John Sonnenschein wrote:
>>>>>> It's one thing if someone makes a mistake and accidentally  
>>>>>> breaks  things,
>>>>>> even security things, it's another thing if we institutionalize  
>>>>>> and  automate
>>>>>> the ability to upload malware. Even debian/unstable hasn't  
>>>>>> done  that. Do we
>>>>>> /really/ want to be the first to have viruses in our blessed  
>>>>>> repos?
>>>>> We can update the language relative to source code, but it's a  
>>>>> big  jump to
>>>>> imply we are opening the doors to malware.
>>>>>
>>>>> All the packages going into /contrib and /pending go through  
>>>>> review by
>>>>> the community, which on it's own, provides a big filter.
>>>> My point is essentially that unless the source code is built by  
>>>> a  controlled system there's no way to verify that it is what the  
>>>> source  code pointer says it is, so it ought to be treated as an  
>>>> exception to  the rule, which means that someone trusted ought to  
>>>> be the submitter  (or trusted by proxy) and the default shouldn't  
>>>> be to accept the  package. If there's a good reason to have a  
>>>> pure binary, there's a  reason and it can be accepted assuming  
>>>> the trust is there.
>>>> Malware is perhaps an extreme example but as I see /pending now   
>>>> there's not a whole lot preventing it other than someone vetting  
>>>> that  the package through some minimal amount of testing does  
>>>> what it claims  to do at this moment. If it's malware there's no  
>>>> real way to detect  that even post-mortem.
>>>
>>> The reality is, even with source code, or automatically building  
>>> something, there's no practical way to guarantee that a program is  
>>> not malicious (unintentionally or not).
>>>
>>> Specifically, I sincerely doubt that every single contributed  
>>> package is going to have every single line of source code checked  
>>> to verify that something malicious wasn't introduced.
>>>
>>> I agree that it can reduce the risk, but it does not eliminate it.
>> Even if it doesn't eliminate it it serves as a big disincentive to  
>> do anything by virtue that it's not easily hidden, it's the same  
>> reason supermarkets put up cameras to prevent shoplifting, in  
>> reality it does very little but it leaves evidence behind which in  
>> and of itself stops some people.
>
> I just wanted to point out that I think this particular point of  
> contention isn't important.
>
> I thought all of this was already covered by votes needed to approve  
> something and the condition of supplying the source code.
>

I thought so too, but then I checked the updated link about the  
pending repo and it looked like the opposite of everything we agreed  
on the other day

> I would rather assume most contributors are not malicious  
> (unintentionally or otherwise) and deal with it that way then treat  
> everyone with distrust.

Trust is earned. A healthy amount of distrust is fine IMO. I also lock  
my door when I leave the house, even though I mostly trust everyone in  
my apartment building.

-JohnS