QA process was Re: RPM submission procedure

Toshio toshio at tiki-lounge.com
Thu Jan 8 20:04:15 UTC 2004


On Thu, 2004-01-08 at 14:05, Stefan van der Eijk wrote:
> Toshio wrote:
> >It took me a while to see this, but there really is a need for a two
> >step QA/testing process -- at least when you involve an autobuilder:
> >Pre-build:
> >Check for trojans and compromise attempts.
> >  
> >
> This isn't that difficult. At Mandrake a diff of the changes (patches 
> and .spec file) are put into the e-mail announcing the change. This 
> gives the reader a quick & clear overview of what has changed. For the 
> sources I would say: let the automated rebuild download them from the 
> original place, and check the signatures.
> 
This isn't secure.  If I, the packager, am trying to crack your
autobuilder, I can use a
Source0: http://cracks.com/autorootkit-1.0.tar.gz
whose "make all" tries to crack the machine.
A human needs to take at look at the package to filter out active
attempts to compromise the build machine.

An even more insidious compromise could be:
source0: http://www.not-apache-org.com/apache-2.0.48.tar.gz
which builds a http server with intentional security holes.  One hopes
that a QA reviewer would see that the package came from a non-canonical
location but in the case of lesser known software, this kind of Trojan
could get all the way to an end-user's computer....

Hmmm... Email diffs could be useful when a package was an update of a
previous package.  Hopefully, someone would notice that the "canonical"
Source URL had changed....  Perhaps having the autobuilder not build new
packages or packages with new Source URLs (hosts?) without having peer
review done first would be sufficient?

-- 
Toshio <toshio at tiki-lounge.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040108/baf70aef/attachment.sig>


More information about the fedora-devel-list mailing list