Re: [Ksummit-discuss] [CORE TOPIC] services needed from kernel.org infrastructure

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Cooper <jason@lakedaemon.net>
To: Theodore Ts'o <tytso@mit.edu>
Cc: ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [CORE TOPIC] services needed from kernel.org infrastructure
Date: Wed, 8 Jul 2015 14:36:44 +0000	[thread overview]
Message-ID: <20150708143644.GI23515@io.lakedaemon.net> (raw)
In-Reply-To: <20150708140155.GA20551@thunk.org>

On Wed, Jul 08, 2015 at 10:01:55AM -0400, Theodore Ts'o wrote:
> On Wed, Jul 08, 2015 at 10:35:11AM +0100, Mark Brown wrote:
> > 
> > I think the only barrier here is someone writing some tooling that is
> > sufficiently useful and generic enough to work for people.  I know I
> > wrote my scripts mainly because none of the scripts I could find tie in
> > with my workflow (mainly around figuring out which branches in my local
> > tree correspond to branches on the server and syncing them up).  If
> > there'd been something I could just pick up I'd have happily done so.
> 
> Yeah, your concerns mirror mine:
> 
> 1) It will require a lot of configuration --- just because a commit
> shows up on a branch does not mean it is guaranteed that it will hit
> mainline.  In fact, a maintainer might push a commit onto a throwaway
> branch on kernel.org just so that the zero-day testing systems can
> give the commit a spin.  So that means it's not just enough to throw a
> bunch of git hook scripts on master.kernel.org, because maintainers
> will need to have to configure, if not customize, them.

Ack.  Is there room for a convention here?  e.g. dev opts in, which
means that tree follows a certain branch naming convention.

> This leads to my second concern which is:
> 
> 2) Having shell scripts run on master.kernel.org can be a significant
> security concern; this is *especially* true if customization or
> configuration is required.

Is it worse for an attacker to execute code as a designated,
unprivileged user on the server, with access to copies of repos?  Or, to
execute code as a dev on a dev box?  The latter potentially giving
access to ssh and pgp keys.

I'd argue that it's Konstantin's and David's jobs to keep those servers
locked down and properly configured.  Devs and dev boxes are held to no
such standard, and yet contain much more critical resources.

We can easily detect and recover from an attacker changing a repo on the
server.  The PGP signed tag will fail.  How do we detect and recover
from, say, Greg or Linus' machine being compromised?

This threat model assumes an intentionally malicious attacker whose goal
is to get bad shit into the kernel and pass git tag verification.

thx,

Jason.

next prev parent reply	other threads:[~2015-07-08 14:36 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-07 20:42 [Ksummit-discuss] [CORE TOPIC] services needed from kernel.org infrastructure Jiri Kosina
2015-07-07 22:40 ` Mark Brown
2015-07-07 22:52   ` Dmitry Torokhov
2015-07-08  2:16     ` Greg KH
2015-07-08  8:02       ` Jiri Kosina
2015-07-08  9:35         ` Mark Brown
2015-07-08 14:01           ` Theodore Ts'o
2015-07-08 14:36             ` Jason Cooper [this message]
2015-07-08 14:40             ` Jiri Kosina
2015-07-08 15:00             ` Greg KH
2015-07-12 12:55             ` Fengguang Wu
2015-07-13 16:22               ` Steven Rostedt
2015-07-14 13:07                 ` Fengguang Wu
2015-07-08 14:59         ` Greg KH
2015-07-08 15:08           ` Jiri Kosina
2015-07-08 15:42             ` Steven Rostedt
2015-07-07 22:53   ` josh
2015-07-08  7:35   ` Jiri Kosina
2015-07-08 13:05   ` Jason Cooper
2015-07-07 23:31 ` Andy Lutomirski
2015-07-07 23:37   ` Guenter Roeck
2015-07-07 23:38     ` Andy Lutomirski
2015-07-08  8:01   ` Geert Uytterhoeven
2015-07-08  7:31 ` James Bottomley
2015-07-08 13:25 ` Konstantin Ryabitsev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150708143644.GI23515@io.lakedaemon.net \
    --to=jason@lakedaemon.net \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.