[TriLUG] The sad state of sysadmin in the age of containers

MrB via TriLUG trilug at trilug.org
Fri Mar 13 15:50:04 EDT 2015 

The most basic part of the system, OS aside, is the FIRMWARE ... nobody
oversees the source for that either.

On Fri, Mar 13, 2015 at 3:41 PM, Sean Alexandre via TriLUG <
trilug at trilug.org> wrote:

> On Fri, Mar 13, 2015 at 02:33:27PM -0400, Igor Partola wrote:
> > > Signing and rolling releases aren't mutually exclusive. It's perfectly
> > > reasonable to expect an upstream developer to sign releases with each
> new
> > > version. This isn't difficult, and not hard for a downstream packager
> to
> > check.
> >
> > The first part of this paragraphs is correct: it costs me nothing, as a
> > developer to sign my releases. The second part implies that there is a
> > downstream author. Debian stable includes Roughly 48,500 packages.
> That's a
> > lot. But look at http://www.modulecounts.com/. The NodeJS packages via
> npm
> > include nearly 3 times as many at just under 140,000. PyPI includes over
> > 55,000. Many of these are useful, yet little known. Not every one of
> these
> > has a trusted "downstream" maintainer who is also widely trusted by the
> > community. In other words, it's a question of resources: there aren't
> > enough maintainers for all these packages. Thus, the signature on the
> > package tells you nothing since anybody can create a PGP keypair and
> sign a
> > package.
>
> I understand what you're saying, and agree it's a problem. It's one of the
> reasons I don't use Python as much as I would. I mostly stick to what comes
> packaged with Debian (not to say that's perfect either, just safer.)
>
> I like you're HTTPS/HTTP/CA argument -- that PyPI get HTTPS support working
> first, and then figure out the CA and/or web-of-trust problem. This to me
> is
> another example of "defense in depth", and is a layer defense. Even just
> one
> layer raises the bar for what it takes to deploy an exploit.
>
> I think the same thing could be done with package singing. Add layers of
> defense over time. One important layer would be for packagers to sign their
> releases. The next steps aren't as easy, but definitely doable. Build up
> a web-of-trust with PGP. It doesn't have to be a perfect WoT either. Every
> link
> makes it stronger. It can grow over time.
>
> I try to follow what's going on with Python, with this. This seems to be
> some
> of the latest on where things stand:
>
> pip should not execute arbitrary code from the Internet
> https://github.com/pypa/pip/issues/425
>
> I don't follow it as closely as I'd like, though. I'd like to here of
> more, or
> of some official position if there is one.
>
> So not an easy problem to solve, but solvable, and important to solve.
>
> Do enough people care?
>
> --
> This message was sent to: Brent R Brian <brentrbrian at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/brentrbrian%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome




-- 
- - - - - - - - - - - - - - - - - -
sent from GMAIL online

More information about the TriLUG mailing list