how secure are the repos

sasan · 2009-04-20 20:55:12

Hi,

I hope everyone is doing well. How are the packages in the extra, community, and testing repos screened? What I want to know: is there a security team of trusted individuals that review the code of software to ensure no maliciousness and then compile the code and package it and post it to the repos? Security is very important to me and in my opinion the trustability of the packages hosted in a particular distros repository is probably the most important quality a distro can have.

Thank You

stabele · 2009-04-20 21:44:36

If security is main concern, I doubt that bleeding-edge distro like Arch is the safest choice. I am very happy with Arch at workstation, but for production servers we use Debian stable, other common choice is CentOS. General info about repositories and who is in charge of which is here in arch wiki.

Last edited by stabele (2009-04-20 21:54:32)

quarkup · 2009-04-20 22:46:54

Hello sasan, Welcome!

In my opinion, the safest choice is using the ABS system and the AUR (compiling everything);

it's easy because there is only need to take a look to the PKGBUILD files.. (and that is quite easy).

This leads you to trust the original source-code (wich depends on the app you are installing).. If using AUR, then the package you are making/installing will be downloaded from the original site then make'd up.

link to the AUR

Last edited by quarkup (2009-04-20 22:49:36)

stabele · 2009-04-21 15:17:23

Sure Arch has a lots to offer to from perspective of security:
- as quarkup mentioned, pacman on one side and ABS and AUR on the other allows you to install packages both binary- or source-distributed. Most important packages has in AUR package building directly from application source system, therefore you can take changes directly from upstream convenient way if you prefere so.
- what is greatest advantage in security is Arch's KISS philosophy. Basic Arch install is clean and minimalists without unecessary stuff. It is much easier build safe system from this point (and carefully add just what you need and trust) than try to secure "rich" distro. Pacman does not do automatically configuration of system, therefore you keep full control what is going on.
- Arch repositories are ordered by how much spotlight by arch developers and comunity they got ( core -> extra -> community -> AUR/unsupported ), therefore you have some hint how much you can expect to trust them.

Arch usually takes application from upstream quickly with minimal custom patches. This is both good and bad for security. Fresh versions sometimes has new bugs and distros which take much longer to adopt new versions has better chance to filter them out. On the other hands fast adoption brings bug/security fixes ASAP and custom patches by distributions may introduce new bugs/vulnerabilities (like the infamous weak SSH keys in Debian once).

But back to my first post - one must keep in mind Arch uses rolling releases. It is great choice for workstation, but for server one may want say one day Ok, now this server is configured, from now on I want only security and critical bug updates - and that is not really supported by Arch. But in long tested distros like Debian it takes sometimes few years to get features which are in Arch now. Distros often releasing vesions (like Ubuntu or Fedora) are not so much behind Arch, but from security point of view I am afraid they share most disadvantages of both rolling- and fixed-releases models.

Last edited by stabele (2009-04-21 15:22:24)

bender02 · 2009-04-21 15:32:09

Short answer: No.

quarkup · 2009-04-23 13:44:28

edit:
[offtopic ...]

Last edited by quarkup (2009-04-23 16:34:09)

stabele · 2009-04-23 14:39:43

quarkup, I am afraid we both replied to different question than the original one. only bender02 (please insert girder!) kept the topic.

Last edited by stabele (2009-04-23 14:40:07)

quarkup · 2009-04-23 16:38:46

here goes the girder:
Yes, there is a group of Trusted Users.

I found this in the wiki:
http://wiki.archlinux.org/index.php/Trusted_Users
http://wiki.archlinux.org/index.php/AUR … Guidelines

Last edited by quarkup (2009-04-23 16:39:36)

bender02 · 2009-04-23 18:49:57

Well the thing is that noone actually reviews the code for no maliciousness and *then* compiles it and then puts it into the repos. Correct me if I'm wrong and deeply underestimate the devs and TUs, but I believe that they take a look into the code only when something doesn't work as expected and the usual fixes (recompile, search if someone had a similar problem) doesn't help *and* it's an application/library that they actually use. There are *lots* of programs in the repos that are *just* downloaded (sources), compiled and put into the repos. So this is your long answer for the short answer 'no'.

darthaxul · 2009-04-23 21:16:19

some of these programs are huge and in reality, there is no way to screen all those lines of code unless you use some kind of program to search each file. and then after that compiling and running the program to see if indeed it comprimised ur system somehow.

Arch Linux

#1 2009-04-20 20:55:12

how secure are the repos

#2 2009-04-20 21:44:36

Re: how secure are the repos

#3 2009-04-20 22:46:54

Re: how secure are the repos

#4 2009-04-21 15:17:23

Re: how secure are the repos

#5 2009-04-21 15:32:09

Re: how secure are the repos

#6 2009-04-23 13:44:28

Re: how secure are the repos

#7 2009-04-23 14:39:43

Re: how secure are the repos

#8 2009-04-23 16:38:46

Re: how secure are the repos

#9 2009-04-23 18:49:57

Re: how secure are the repos

#10 2009-04-23 21:16:19

Re: how secure are the repos

Board footer