Gregor Schmid
2007-Nov-19 18:07 UTC
[Xapian-discuss] How can I trust the xapian openSUSE packages?
Hi, sorry to bother you with this, but I couldn't find a satisfying answer to the question at openSUSE or in the xapian mailing list archives. In short, I need to convince our provider to install the SUSE xapian packages on the server on which they are hosting our website as well as those of other customers. Due to that they are very concerned about security. The SUSE RPMs for xapian are provided on the openSUSE build service and though I'm pretty sure that they were placed there by some of the xapian developers, it is not clear how our provider can verify that. On the Build Service website there is talk about a trust relationship and a rating mechanism, but none of this seems to be implemented. If whoever is making the SUSE RPMs available reads this message, can you please explain whether there is any mechanism in place that ensures that those packages come from you and not from any potentially malicious user that creates an account at the SUSE Build Service? If there's no such mechanism, would it possible for you to assist verification by, for example, publishing an MD5 hash for the latest packages on the xapian.org website? Our provider would be willing to trust a package downloaded directly from the authors, i.e. www.xapian.org and posting such a hash for externally provided packages could create the same level of trust for those. Ideas, alternative suggestions, fedback from other users of the xapian SUSE RPMs etc. would be greatly appreciated. Best regards, Greg
Olly Betts
2007-Nov-19 18:40 UTC
[Xapian-discuss] How can I trust the xapian openSUSE packages?
On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:> The SUSE RPMs for xapian are provided on the openSUSE build service > and though I'm pretty sure that they were placed there by some of the > xapian developers, it is not clear how our provider can verify that.Assuming you mean those linked to from the download page on xapian.org, they aren't maintained by any Xapian developers, but I think those responsible are SuSE developers (3 of the 4 listed on the build service have @novell.com email addresses at least). I believe some of them read this list. I also have an account on their buildservice which I use for testing builds, but these aren't intended for public consumption.> On the Build Service website there is talk about a trust relationship > and a rating mechanism, but none of this seems to be implemented.I don't know about this.> If there's no such mechanism, would it possible for you to assist > verification by, for example, publishing an MD5 hash for the latest > packages on the xapian.org website? Our provider would be willing to > trust a package downloaded directly from the authors, i.e. > www.xapian.org and posting such a hash for externally provided > packages could create the same level of trust for those.I don't have a way to easily verify the contents of those packages, so publishing a hash for them on xapian.org wouldn't actually provide a valid reason for trusting them more than you would otherwise.> Ideas, alternative suggestions, fedback from other users of the xapian > SUSE RPMs etc. would be greatly appreciated.If they're only willing to trust downloads from xapian.org, building from source seems the obvious approach - there's a spec file in each tarball so rpmbuild can work directly from them. I can see hosting companies not being so keen on that though. Or find a provider who offers virtual servers - that way installing packages for you doesn't effect other users. Cheers, Olly
Marcus Rueckert
2007-Nov-19 20:51 UTC
[Xapian-discuss] How can I trust the xapian openSUSE packages?
hi, the xapian package would be mine, and the mail reminds me to update the package. On 2007-11-19 18:58:47 +0100, Gregor Schmid wrote:> sorry to bother you with this, but I couldn't find a satisfying answer > to the question at openSUSE or in the xapian mailing list archives. > > In short, I need to convince our provider to install the SUSE xapian > packages on the server on which they are hosting our website as well > as those of other customers. Due to that they are very concerned about > security.what provider is that?> The SUSE RPMs for xapian are provided on the openSUSE build service > and though I'm pretty sure that they were placed there by some of the > xapian developers, it is not clear how our provider can verify that. > On the Build Service website there is talk about a trust relationship > and a rating mechanism, but none of this seems to be implemented. > > If whoever is making the SUSE RPMs available reads this message, can > you please explain whether there is any mechanism in place that > ensures that those packages come from you and not from any potentially > malicious user that creates an account at the SUSE Build Service?the buildservice is just a service to build the package. it always matters who maintains the package. atm you can only see it, if you have a buildservice account yourself, will bring that up on the meeting tomorrow. so in the case of xapian it would be me. i work for suse as packager.> If there's no such mechanism, would it possible for you to assist > verification by, for example, publishing an MD5 hash for the latest > packages on the xapian.org website? Our provider would be willing to > trust a package downloaded directly from the authors, i.e. > www.xapian.org and posting such a hash for externally provided > packages could create the same level of trust for those.the packages and the pkg meta data are protected with gpg signatures. atm it is a shared gpg key for all buildservice projects. this will be changed in the near future. you could download our source rpm and verify the checksum of the tarball. the spec file has the build instructions we used to build the package.> Ideas, alternative suggestions, fedback from other users of the xapian > SUSE RPMs etc. would be greatly appreciated.in another reply it was suggested to build the rpms yourself with rpmbuild. the spec is slightly different from mine (suse packaging policies) and is not build in a clean chroot [1] like our rpms. hope this helps darix [1] actually those are xen instances now. a new xen vm for each build job. -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org