Hi,

sorry to bother you with this, but I couldn't find a satisfying answer
to the question at openSUSE or in the xapian mailing list archives.

In short, I need to convince our provider to install the SUSE xapian
packages on the server on which they are hosting our website as well
as those of other customers. Due to that they are very concerned about
security.

The SUSE RPMs for xapian are provided on the openSUSE build service
and though I'm pretty sure that they were placed there by some of the
xapian developers, it is not clear how our provider can verify that.
On the Build Service website there is talk about a trust relationship
and a rating mechanism, but none of this seems to be implemented.

If whoever is making the SUSE RPMs available reads this message, can
you please explain whether there is any mechanism in place that
ensures that those packages come from you and not from any potentially
malicious user that creates an account at the SUSE Build Service?

If there's no such mechanism, would it possible for you to assist
verification by, for example, publishing an MD5 hash for the latest
packages on the xapian.org website? Our provider would be willing to
trust a package downloaded directly from the authors, i.e.
www.xapian.org and posting such a hash for externally provided
packages could create the same level of trust for those.

Ideas, alternative suggestions, fedback from other users of the xapian
SUSE RPMs etc. would be greatly appreciated.

Best regards,
Greg

Search Discussions

  • Olly Betts at Nov 19, 2007 at 6:40 pm

    On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:
    The SUSE RPMs for xapian are provided on the openSUSE build service
    and though I'm pretty sure that they were placed there by some of the
    xapian developers, it is not clear how our provider can verify that.
    Assuming you mean those linked to from the download page on xapian.org,
    they aren't maintained by any Xapian developers, but I think those
    responsible are SuSE developers (3 of the 4 listed on the build service
    have @novell.com email addresses at least). I believe some of them read
    this list.

    I also have an account on their buildservice which I use for testing
    builds, but these aren't intended for public consumption.
    On the Build Service website there is talk about a trust relationship
    and a rating mechanism, but none of this seems to be implemented.
    I don't know about this.
    If there's no such mechanism, would it possible for you to assist
    verification by, for example, publishing an MD5 hash for the latest
    packages on the xapian.org website? Our provider would be willing to
    trust a package downloaded directly from the authors, i.e.
    www.xapian.org and posting such a hash for externally provided
    packages could create the same level of trust for those.
    I don't have a way to easily verify the contents of those packages, so
    publishing a hash for them on xapian.org wouldn't actually provide a
    valid reason for trusting them more than you would otherwise.
    Ideas, alternative suggestions, fedback from other users of the xapian
    SUSE RPMs etc. would be greatly appreciated.
    If they're only willing to trust downloads from xapian.org, building from
    source seems the obvious approach - there's a spec file in each tarball
    so rpmbuild can work directly from them. I can see hosting companies
    not being so keen on that though.

    Or find a provider who offers virtual servers - that way installing
    packages for you doesn't effect other users.

    Cheers,
    Olly
  • Gregor Schmid at Nov 19, 2007 at 9:59 pm
    Hello Olly,

    thanks a lot for your reply. Please see inline comments.

    Olly Betts <olly@survex.com> writes:
    On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:
    The SUSE RPMs for xapian are provided on the openSUSE build service
    and though I'm pretty sure that they were placed there by some of the
    xapian developers, it is not clear how our provider can verify that.
    Assuming you mean those linked to from the download page on xapian.org, Correct.
    they aren't maintained by any Xapian developers, I see.
    but I think those
    responsible are SuSE developers (3 of the 4 listed on the build service
    have @novell.com email addresses at least). I believe some of them read
    this list.
    It would be great to get a response from one or more of them. BTW,
    where can I find the info who has (supposedly) created a package
    available from the build service? I've browsed the site for a while
    now, but haven't found anything like that.

    Hold on, I just found a name in the changelog section of the packages
    with a suse.de address. Thus it seems that Marcus Rueckert is the
    maintainer. I saw some of his posts in the list archive.

    And just while I'm writing this mail, Marcus' response came in also :-)
    I also have an account on their buildservice which I use for testing
    builds, but these aren't intended for public consumption.
    On the Build Service website there is talk about a trust relationship
    and a rating mechanism, but none of this seems to be implemented.
    I don't know about this.
    If there's no such mechanism, would it possible for you to assist
    verification by, for example, publishing an MD5 hash for the latest
    packages on the xapian.org website? Our provider would be willing to
    trust a package downloaded directly from the authors, i.e.
    www.xapian.org and posting such a hash for externally provided
    packages could create the same level of trust for those.
    I don't have a way to easily verify the contents of those packages, so
    publishing a hash for them on xapian.org wouldn't actually provide a
    valid reason for trusting them more than you would otherwise.
    Of course, if the creator of those packages is not affiliated with
    xapian.org that suggestion doesn't make sense.
    Ideas, alternative suggestions, fedback from other users of the xapian
    SUSE RPMs etc. would be greatly appreciated.
    If they're only willing to trust downloads from xapian.org, building from
    source seems the obvious approach - there's a spec file in each tarball
    so rpmbuild can work directly from them. I can see hosting companies
    not being so keen on that though.
    Yes, that's one of the obvious solutions. But of course, effort is an
    issue here since they don't have any interest of their own in
    installing the packages. Worse, that would mean that they'd have to
    take on the responsibility for keeping the package up-to-date and
    react quickly whenever a security issue in xapian or omega is
    discovered.
    Or find a provider who offers virtual servers - that way installing
    packages for you doesn't effect other users.
    Good suggestion, but that's not really an option, I'm afraid.

    Best regards,
    Greg
  • Marcus Rueckert at Nov 19, 2007 at 8:51 pm
    hi,

    the xapian package would be mine, and the mail reminds me to update the
    package.
    On 2007-11-19 18:58:47 +0100, Gregor Schmid wrote:
    sorry to bother you with this, but I couldn't find a satisfying answer
    to the question at openSUSE or in the xapian mailing list archives.

    In short, I need to convince our provider to install the SUSE xapian
    packages on the server on which they are hosting our website as well
    as those of other customers. Due to that they are very concerned about
    security.
    what provider is that?
    The SUSE RPMs for xapian are provided on the openSUSE build service
    and though I'm pretty sure that they were placed there by some of the
    xapian developers, it is not clear how our provider can verify that.
    On the Build Service website there is talk about a trust relationship
    and a rating mechanism, but none of this seems to be implemented.

    If whoever is making the SUSE RPMs available reads this message, can
    you please explain whether there is any mechanism in place that
    ensures that those packages come from you and not from any potentially
    malicious user that creates an account at the SUSE Build Service?
    the buildservice is just a service to build the package.
    it always matters who maintains the package. atm you can only see it, if
    you have a buildservice account yourself, will bring that up on the
    meeting tomorrow. so in the case of xapian it would be me.

    i work for suse as packager.
    If there's no such mechanism, would it possible for you to assist
    verification by, for example, publishing an MD5 hash for the latest
    packages on the xapian.org website? Our provider would be willing to
    trust a package downloaded directly from the authors, i.e.
    www.xapian.org and posting such a hash for externally provided
    packages could create the same level of trust for those.
    the packages and the pkg meta data are protected with gpg signatures.
    atm it is a shared gpg key for all buildservice projects. this will be
    changed in the near future.

    you could download our source rpm and verify the checksum of the
    tarball. the spec file has the build instructions we used to build the
    package.
    Ideas, alternative suggestions, fedback from other users of the xapian
    SUSE RPMs etc. would be greatly appreciated.
    in another reply it was suggested to build the rpms yourself with
    rpmbuild. the spec is slightly different from mine (suse packaging
    policies) and is not build in a clean chroot [1] like our rpms.

    hope this helps

    darix

    [1] actually those are xen instances now. a new xen vm for each build
    job.

    --
    openSUSE - SUSE Linux is my linux
    openSUSE is good for you
    www.opensuse.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupxapian-discuss @
categoriesxapian
postedNov 19, '07 at 5:58p
activeNov 19, '07 at 9:59p
posts4
users3
websitexapian.org
irc#xapian

People

Translate

site design / logo © 2021 Grokbase