[clc-devel] httpup repositories and unmaintained (next try) [long]

Johannes Winkelmann jw at tks6.net
Sun Aug 22 10:15:49 UTC 2004


On Sat, Aug 21, 2004 at 23:52:23 +0200, Daniel Mueller wrote:
> Hi
> On Fri, 20 Aug 2004 19:59:44 +0200
> Johannes Winkelmann <jw at tks6.net> wrote:
> > What I'd like to suggest differs a bit from my httpup mirror service
> > proposal I wrote to crux@ a while ago and is rather what Jay Dolan
> > suggested: Create a new httpup collection, called 'people'
> > [..]
> The 'people' collection might be a good idea, but we should consider the
> security aspect. I mean, do you trust in everybodys ports ? By running a
> simple 'prt-get install <portname>' you can easily invite Harry H4cker.
That's true, but this is the very same for ports from private
repositories right now. People should not necessarily trust them, but if
you look at the reality, e.g. new users come to #crux and ask where they
can find a ports for XYZ, and are guided through the whole task of
getting the file.httpup, installing httpup, doing ports -u (installing
cvsup and doing ports -u again ;-)), and finally installing it; no
questions asked, no remark regarding security. The 'people' collection
wouldn't be any safer, but since it's centralized, there would be more
eyes watching it, which will definitely help to rule out black sheeps.

With respect to  trust, the bigger problem I see is that people
"pretend" to be someone else; in which case you'll be fooled when
looking at the Pkgfile first, since you probably stop looking that hard
if the maintainer is a well know person. The simple solution here is to
let the repository merge script set the "# Maintainer: " line using some
meta information on the repository the port cames from. 
This still doesn't guarantee the maintainer's repository wasn't hacked
itself; if we want strong confidence, then we need to introduce GPG/PGP
signing of the REPO file; this just imposes an extra step each time you
update your repository. Also note that if there was such a verification
process in place, it would be possible to have prt-get check the
signatures against a number of trusted ones, so you could configure it
to be paranoid and simply bail out if a package was made by a
non-trusted maintainer (meaning one not in your key ring).

Still I'd like to place emphasis on the fact that the problem of
potentially malicious ports is the very same right now, just better
hidden since it's not in a central, official place. No matter whether
we're going to implement an additional measure of trust, the situation
will rather improve than become worse IMO.

With respect to unmaintained, it is probably true that the current ports
in unmaintained are a bit better controlled since at least one CLC
maintainer checked them once... but this is pointless if they are older
than the ones in the httpup repositories, since in these cases, people
will use the newer one anyway.

Regards, Johannes
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net

More information about the crux-devel mailing list