Focus on Linux
Re: How secure is the openSUSE Build Service? Nov 02 2007 01:55AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: How secure is the openSUSE Build Service? Nov 06 2007 07:40AM
Thomas (tom electric-sheep org) (2 replies)
Re: How secure is the openSUSE Build Service? Nov 07 2007 01:18AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: How secure is the openSUSE Build Service? Nov 07 2007 06:16AM
Thomas (tom electric-sheep org) (1 replies)
Re: How secure is the openSUSE Build Service? Nov 07 2007 07:52PM
Greg Metcalfe (metcalfegreg qwest net) (1 replies)
Re: How secure is the openSUSE Build Service? Nov 12 2007 09:39AM
Thomas (tom electric-sheep org)

> > I think it is *not* less secure. In the case of OSS it doesn't matter
> > anymore. When you trust several thousands developers around the globe,
> > hundreds of CVS, SVN, rsync, FTP, HTTP servers used for development and
> > dozens of distribution then *one* additional layer in the distribution
> > process doesn't really matter.
> >
> > It is a matter of trust and not a matter of security.
>
> A matter of trust, not security?!?
>
> That's the most bizarre thing I've heard this week, and it's been a very
> strange week. Security is fundamentally about trust, from the very basis of
> how we even attempt to build secure systems--cryptographic primitives such as
> hash functions.

Ok, initially I did not want to go this far to avoid the discusions about
open-source software and commercial/closed-source software; but...

First I did not talk about technical trust.

We have two choices, the open-source operating system vendors/distributors like
*BSD, Red Hat, SUSE, etc. And on the other side you have commercial vendors like
IBM, Sun, Microsoft, Apple, ...

Some people dislike the policy of a commercial company or it's CxO's or fear
that the government has too much influence on that company. Other do not trust
these hobbyist from all around the globe, maybe some of them are from countries
that are in political/ethical/religious conflict with the country of the user.
Reasons for trust and the lack of it are manifold.

These creates a closed resp. complex situation that has many parts lying in the
dark and a user has to make a choice which is not completely based on facts
but on trust. Who do I trust, the business folks with their neckties and suites
or these guys with the long beards that listen to the same music as I do?
(That is what I meant with trust.)

Another part in this trust model is the crpyto. signature of the distributor,
say SUSE, that is added to each package they ship.
This enables you to verify the integrity of the way of transportation of the
software. This is a security measure because you do not trust the transit of
the packages and can technically verify it.
But this signature also implies that SUSE trusts the OSS developers otherwise
they would not sign their code.
This signature from SUSE or the 3rd party repo.s did not guarantee that the code
that is installed on your system has no backdoors or security bugs. On the other
side developers payed by a company do also not guarantee flawless (neither by
accident or by intention) code.

Did this make the difference clear I want to show?

Greetings.

--
Tom <tom (at) electric-sheep (dot) org [email concealed]>
fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF

[ reply ]
Re: How secure is the openSUSE Build Service? Nov 06 2007 07:41PM
Greg Metcalfe (metcalfegreg qwest net)


 

Privacy Statement
Copyright 2010, SecurityFocus