You are not logged in.

#1 2012-04-16 20:59:46

work
Member
Registered: 2012-03-25
Posts: 40

[SOLVED] Officially supported packages: is their code checked?

My question is a little silly. When a package enters the official repository, is its code checked by the Maintainer? Just saying, just in case there is something strange in it.
Thank you

Last edited by work (2012-04-17 08:43:48)

Offline

#2 2012-04-16 21:14:28

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [SOLVED] Officially supported packages: is their code checked?

I doubt anyone audits the code, but the maintainer should test it to see if it works and doesn't do something silly https://github.com/MrMEEE/bumblebee-Old … issues/123

Offline

#3 2012-04-16 22:44:46

tomegun
Developer
From: France
Registered: 2010-05-28
Posts: 661

Re: [SOLVED] Officially supported packages: is their code checked?

work wrote:

When a package enters the official repository, is its code checked by the Maintainer?

Short answer: no.

In practice it is up to the judgement of the individual maintainer, but I doubt anyone ever truly audits code. Some sanity checks are of course done.

Offline

#4 2012-04-16 23:14:14

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: [SOLVED] Officially supported packages: is their code checked?

Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?

Offline

#5 2012-04-16 23:19:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,444
Website

Re: [SOLVED] Officially supported packages: is their code checked?

If you can't trust what comes from upstream, then don't swim in the river! wink


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2012-04-17 01:20:48

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: [SOLVED] Officially supported packages: is their code checked?

If you can't trust upstream, why do you trust our developers and TUs? Some of them are known breakage-creators (Allan), some of them may not even exist in real life in any real provable manner (Xyne).


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#7 2012-04-17 03:20:09

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 4,092
Website

Re: [SOLVED] Officially supported packages: is their code checked?

Allan wrote:

Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?

Don't be bitter! wink

Offline

#8 2012-04-17 04:32:32

Montague
Banned
Registered: 2010-06-24
Posts: 93

Re: [SOLVED] Officially supported packages: is their code checked?

 

Last edited by Montague (2015-07-28 02:48:55)

Offline

#9 2012-04-17 05:02:59

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: [SOLVED] Officially supported packages: is their code checked?

Montague wrote:

does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind?

Bottomline, yes. It all comes down to "trust on the web" again. If you're using package X by developer Y, you're going to have to trust Y up to a certain degree (or audit every line of code before putting it to use).


Burninate!

Offline

#10 2012-04-17 05:15:10

Runiq
Member
From: Germany
Registered: 2008-10-29
Posts: 1,053

Re: [SOLVED] Officially supported packages: is their code checked?

Allan wrote:

Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?

I lol'd heartily.

Also, if you want to be really kinda sure, look for developers that sign commits to their repos with GPG and whatnot. Then you at least know whom to blame…

Offline

#11 2012-04-17 05:18:30

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: [SOLVED] Officially supported packages: is their code checked?

Montague wrote:

Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work! ...

You have never worked on a system on which lives depend, have you?  wink


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#12 2012-04-17 06:17:33

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: [SOLVED] Officially supported packages: is their code checked?

ewaller wrote:
Montague wrote:

Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work! ...

You have never worked on a system on which lives depend, have you?  wink

<OT>The other day I was weeding... MY life certainly depended on it, what with my wife's attitude towards gardens</OT>

And I do recall reading about holes even if software used by the US DOD, so no, I don't think anyone actually DOES the work, though it would seem to be necessary for absolute surety.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#13 2012-04-17 06:33:48

knopwob
Member
From: Hannover, Germany
Registered: 2010-01-30
Posts: 239
Website

Re: [SOLVED] Officially supported packages: is their code checked?

Montague wrote:

Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work!

If you can read (and understand and evaluate if it's containing a bug/problem)  one line of code per second, then it would take 173 days to read through the linux sources.

Offline

#14 2012-04-17 08:43:35

work
Member
Registered: 2012-03-25
Posts: 40

Re: [SOLVED] Officially supported packages: is their code checked?

Thank you for all your answers.
My question was silly indeed as I can see

Offline

Board footer

Powered by FluxBB