[TriLUG] The sad state of sysadmin in the age of containers

Sean Alexandre via TriLUG trilug at trilug.org
Fri Mar 13 16:20:55 EDT 2015


On Fri, Mar 13, 2015 at 03:57:45PM -0400, Igor Partola via TriLUG wrote:
> WoT does not actually protect the code itself. It simply says "developer
> @haxor signed this release." Let's say I am @haxor and you know me
> personally and have verified my identity directly. You know for a fact that
> this code comes from me. Now, how do you know the NSA didn't compel me to
> put in a backdoor? Or that they did not compromise my workstation to insert
> a backdoor into every piece of code I release, right before I upload it to
> PyPI? The only way to verify that is for security researchers to pore over
> every piece of code released on PyPI, NPM, etc. and that's just not
> feasible because there aren't enough security researchers. All this means
> is that the last mile of code security and security guarantees is an
> incredibly hard resource allocation problem, which cannot be solved with
> release signing.

So I get that you're not for package signing, and I think that's too bad. 

This discussion has kind of gone full circle.

We're back to the "layer X" doesn't do everything argument. True. It's just one
layer.

> P.S.: pip executing arbitrary code is bad. Of course dpkg can do the same,
> and so can rpm. All include ability to run arbitrary code in the form of
> pre and post install/remove scripts inside the package, and all can be fed
> packages that come from anywhere, including unsigned repositories. pip is
> really the analog of apt + dpkg: it downloads packages, and installs them.
> apt is by default configured to only look at distro repos, but does not
> have to, and can easily be bypassed.

dpkg can't do that out of the box. You'd have to misconfigure it. Debian has
a trust chain that by default doesn't allow arbitrary package installs.



More information about the TriLUG mailing list