I am here to post part of a conversation I have had with Fanthom regarding the security (or lack of it) of Porteus packaging process.
Please, share your thoughts.Porteus is more or less a comunity proyect, so everybody who has
something to contribute with is encouraged to help, isn't it? Well, I
find that this is a very "beautiful" approach, but it brings to my mind
some worries. If *everyone* can contribute with code, patches, modules,
etc...what is preventing a bad guy to package a module including a
Troyan Horse inside, then upload it to Porteus?
Worse yet, in this site
(http://forum.porteus.org/viewtopic.php?f=53&t=640) you [Fanthom] ask
your contributors for binary modules, which could easily conceal
malware! Wouldn't it be better for everybody if contributors just
uploaded the code -which procedence can be easily confirmed- and
a script to package it? That way, it would be harder for the bad guys
to pass malware into the official software.
I would like you to think about it. Experience shows that any site that
allows all its users to post whatever software they want for download
ends up hosting lots of malware. Unless you trust ALL of the
contributors, a little control is called for in order to have some peace
of mind. Accepting binary stuff without question is no good at all.
That is why sites like slackbuilds.org exist: they just provide you
with a small script that can be easily audited, then tell you where to
find the source and get it from the upstream author. No third person is
going to put evilware between you and upstream this way.
[...]
I think the most basic meassure to take would be to just avoid binary
stuff submitions. A binary could have the Four Riders of Armageddon
inside and you wouldn't know. If developers only accepted a build
script (think about slackbuilds.org) and a link to a *reliable and
verificable* source, then the chances of a comunity buddy including
evil things gets drastically reduced. Patches could be distributed
separated from the source (after all, they are supposed to be more easy
to audit than the whole code of, lets say, the Linux Kernel). This way,
Porteus wouldn't need to place its whole trust in the good will of
external contributors, and all the build and changes submition would be
done by a reduced team of (hopefuly) honorable people.
Verifying the scripts and the sources hashes takes no so much time. Im
not so sure about the patches. What I know about code can be written in
a very small place, so I think this kind of thing is better discussed
by the people who does the actual work. These are only my 0.02 pounds.