Re: [BuildStream] Add setting to disallow insecure transports

From: Tristan Van Berkom <tristan vanberkom codethink co uk>
To: Frazer Clews <frazer clews codethink co uk>, buildstream-list gnome org, Michael Catanzaro <mcatanzaro gnome org>
Subject: Re: [BuildStream] Add setting to disallow insecure transports
Date: Thu, 25 Jun 2020 21:21:46 +0900

On Thu, 2020-06-25 at 12:12 +0100, Frazer Clews wrote:

Hi

For this issue I have come up with some solutions

Some being similar to the acceptance criteria by adding a setting to 
project.refs, although not sure if project.conf is more appropriate. Or 
by setting an optional flag to either toggle or set the option to only 
allow secure sources, personally prefer the latter as a toggle could get 
confusing going from project to project.


The project.refs file is not the place for any configuration, this file
is mostly meant to (optionally) store `bst track` results in lieu of
the element.bst files themselves.

Configuration-wise, it may make sense as a project.conf configuration,
or it may make sense as a Source kind specific configuration, which
could then be specified for an entire project using the project.conf's
source configuration override section:

    https://docs.buildstream.build/master/format_project.html#source-overrides

I have been experimenting where to put in the check for the type of 
protocol being used and stop it, but only got it properly working so far 
for ftp in downloadablefilesource.py and feels kind of hacky, so will 
look into a better solution, but happy for suggestions


This is the part I'm not sure of, there are a few questions worth
pondering here.

  * How do we determine what is "secure transport" ?

    Certainly, once one opens a socket and starts speaking
    some kind of protocol, they could use end-to-end encryption,
    or they could be using cryptographic signing to verify
    downloaded results (like the GPG keys used by the ostree
    sources).

    How do we know ?

  * Is the URI scheme really any indicator ?

    If so, why ?

  * If the URI scheme is really an appropriate indicator, how
    can the core be made aware of what URI scheme a plugin is
    effectively using in order to download things ?

    We don't have any API for this.

Possibly, we need more input from the reporter (Adding Michael on CC
here) in order to determine what the underlying use case for this is.

For instance, would GPG verified downloaded content over http be as
trustable as non GPG verified downloaded content over https ?

Cheers,
    -Tristan

Follow-Ups:
- Re: [BuildStream] Add setting to disallow insecure transports
  - From: Michael Catanzaro

References:
- [BuildStream] Add setting to disallow insecure transports
  - From: Frazer Clews

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]