[OpenIndiana-discuss] pkg security and incentives?

Reginald Beardsley pulaskite at yahoo.com
Sat Aug 23 14:33:45 UTC 2025 

 
I was off line for a while. Thanks to both for the excellent explanation. That makes good sense. I'll start beating on building an Octave IPS pkg.

Have Fun!
Reg


     On Wednesday, August 20, 2025 at 02:03:43 PM CDT, Peter Tribble <peter.tribble at gmail.com> wrote:  
 
 On Mon, Aug 18, 2025 at 10:12 PM Reginald Beardsley via openindiana-discuss
<openindiana-discuss at openindiana.org> wrote:

>  So if I build Gnu Linear Programming Package (aka GLPK) how do you
> prevent me from adding a Trojan, building GLPK, restoring the original
> source and building an IPS pkg? Is there a checksum generated by the
> compiler from the source file that is recorded in the binary?
>
> If not, I should like an explanation of how it meets the "On Trusting
> Trust" issue. This has long been a major concern, but I have been blindly
> trusting the OI repository.
>
> I can't resolve the backdoored distro problem, but I'm not concerned about
> that. I am concerned about the vetting process for IPS pkgs for 3rd party
> stuff produced by 3rd parties, e.g. Reg"s version of libxyz.
>

Generally you wouldn't have a distribution taking someone else's binaries
and packaging them. Normally the distributions build from source. And the
build system normally checks the source input is what you expect - and that
on subsequent build attempts it's exactly the same source.

Then there's reproducibility. Even if you can compromise one particular
package
instance, can you compromise somebody else building the same package
independently? Because you can have 2 people building the same package
and comparing their results.

Now, none of the illumos distributions have reproducible builds in quite
the same
way that other open source projects think about it -
https://reproducible-builds.org/
- largely because the emphasis there is on things like output tarballs. In
general,
illumos binaries will differ because of metadata differences, but systems
like IPS
know how to skip that and can generate a checksum of just the elf content
of an
object. So in general 2 people should generate the same IPS package, which
in
theory allows backdoored packages to be detected. (The theory part is if
anybody
bother to look.)


> Reg
>
>
>      On Monday, August 18, 2025 at 03:36:05 PM CDT, Till Wegmüller <
> toasterson at gmail.com> wrote:
>
>  Hi Reg
>
> We do handle Maintenance and and security updates for people.
> Technically you can have multiple repos linked to your system but in
> practice it's only ever the main openindiana.org one. And packages from
> there are always source built on the OpenIndiana build server and only
> from there. In the Future we would also like to provide ephemeral build
> zones that are spawned from a template and then destroyed. So it gets
> really hard to backdoor those machines like in the XZ case. Other ideas
> to make that spawning process happen are heartly welcome. But in short,
> we do not accept binary packages only source and recipes and then build
> them from a decently secure system for people.
>
> Hope this helps
> -Till
>
> On 18.08.25 21:44, Reginald Beardsley via openindiana-discuss wrote:
> > I'm happy to build packages for things I use that don't already have
> pkgs. However, it raises the issue of "On Trusting Trust".  I've generally
> not been enthusiastic about binary packages because it's so easy to Trojan
> or backdoor one.
> > How does OI deal with that?  This is why I have, until very recently,
> built from source.  Linux made doing that fairly absurd with all the
> dependencies and as I was just using Linux on a test system for email  I
> started slacking.  Time to stop.
> > As an incentive, how about a lottery?  People who build things for their
> own use and supply an IPS pkg get a ticket in an annual lottery for each
> pkg they contribute and the prize is of the order of 1000 Euros.
> > Have Fun!Reg
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > https://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>


-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the openindiana-discuss mailing list