The use case is that I keep discovering elements in gnome-build-meta
that use http://. I just counted and we have 12 currently, all of which
must have snuck in since the last time I checked for them. Because we
don't have project.refs on the master branch, that means any MITM
attacker between the build server and the server that hosts the tarball
can trivially replace the tarball with arbitrary malicious content and
we would never notice. This is quite easy for a skilled attacker to do,
e.g. with a BGP attack. Without project.refs or refs pinned in the
file, we don't notice and will happily include the malicious content in
the new runtime.
http:// plus GPG could theoretically be secure, but that requires
significant effort to set up and I really don't care. There is zero
excuse for not using https:// in 2020. The safest approach is to
completely ban it from the GNOME runtime (and freedesktop-sdk).
Similarly, ftp:// and git:// also need to be banned. If we have
projects that cannot be downloaded safely from upstream, we can rehost
them.
Absent a feature in BuildStream currently, would it be a suggestion to add a validation hook on the git repository that rejects definitions that have the url pattern you wish to ban?
Cheers,
Sander
Michael
_______________________________________________
buildstream-list mailing list
buildstream-list gnome org
https://mail.gnome.org/mailman/listinfo/buildstream-list
