How secure is openSUSE build service ("1-Click- Install")? - Suse

This is a discussion on How secure is openSUSE build service ("1-Click- Install")? - Suse ; Hello folks, I wanted to install rsync with the 1-Click-install function of the openSUSE website. Then I realized, that the source is not openSUSE, but "sergey1369:rsync/openSUSE_11.0" So my question is: How secure are these sources actually? As I plan to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: How secure is openSUSE build service ("1-Click- Install")?

  1. How secure is openSUSE build service ("1-Click- Install")?

    Hello folks,

    I wanted to install rsync with the 1-Click-install function of the openSUSE
    website.
    Then I realized, that the source is not openSUSE, but
    "sergey1369:rsync/openSUSE_11.0"

    So my question is: How secure are these sources actually?
    As I plan to use the software in an working environment I would not like to
    install things from dubious sources.
    Can I take the files from there, or should I better take the sources and
    compile myself?

    Thanks for any info!

    Cheers
    Tom


    --
    Help keep the usenet free!
    Use and/or support (e.g. by setting up an own server) the nonprofit
    open-news-network project:
    http://www.open-news-network.org/


  2. Re: How secure is openSUSE build service ("1-Click- Install")?

    Tom wrote:
    >
    >
    > Hello folks,
    >
    > I wanted to install rsync with the 1-Click-install function of the openSUSE
    > website.
    > Then I realized, that the source is not openSUSE, but
    > "sergey1369:rsync/openSUSE_11.0"


    Why not use the ones from openSUSE?
    http://software.opensuse.org/ymp/ope...dard/rsync.ymp

    > So my question is: How secure are these sources actually?


    As (un)safe as any third party. It is technicaly possible to insert
    unsecure code into it

    > As I plan to use the software in an working environment I would not like to
    > install things from dubious sources.


    Then do not select a dubious source

    > Can I take the files from there, or should I better take the sources and
    > compile myself?


    Taking them from there is excatly the same as installing the RPM, unless
    you read the source yourself. If you want the most secure thing, go to
    as close to the source as possible and take it from there and compile it
    from there.

    I would just use the official release. I also do trust what is on the
    rest of the server, although I know these are not official things.

    From a pure teoretical point of view: What you can do is ask for an account
    yourself and then see if there is a change done to the sources he uses
    and see what the other files are he used.
    e.g. I see the following there:
    system-zlib.diff for package rsync (Project home:sergey1369:rsync)
    --- Makefile.in
    +++ Makefile.in
    @@ -40,7 +40,8 @@
    DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o
    authenticate.o
    popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
    popt/popthelp.o popt/poptparse.o
    -OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ)
    @BUILD_POPT@
    +OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) @BUILD_POPT@
    +LIBS += -lz


    There are other files in there as well. However if you use it as update
    as well, then you must verify the source (as with each change) yourself.

    So in a pure teoretical way, yes it is possible to give you insecure
    code. That is always possible for each and every maker of software,
    including Novell and yourself. Wether by accident or on purpose is a
    different matter.

    houghi
    --
    It's people. Source code is made out of people! They're making our
    source out of people. Next thing they'll be breeding us like cattle
    for code. You've gotta tell them. You've gotta tell them!

+ Reply to Thread