[Ksummit-discuss] [CORE TOPIC] services needed from kernel.org infrastructure

Jason Cooper jason at lakedaemon.net
Wed Jul 8 14:36:44 UTC 2015


On Wed, Jul 08, 2015 at 10:01:55AM -0400, Theodore Ts'o wrote:
> On Wed, Jul 08, 2015 at 10:35:11AM +0100, Mark Brown wrote:
> > 
> > I think the only barrier here is someone writing some tooling that is
> > sufficiently useful and generic enough to work for people.  I know I
> > wrote my scripts mainly because none of the scripts I could find tie in
> > with my workflow (mainly around figuring out which branches in my local
> > tree correspond to branches on the server and syncing them up).  If
> > there'd been something I could just pick up I'd have happily done so.
> 
> Yeah, your concerns mirror mine:
> 
> 1) It will require a lot of configuration --- just because a commit
> shows up on a branch does not mean it is guaranteed that it will hit
> mainline.  In fact, a maintainer might push a commit onto a throwaway
> branch on kernel.org just so that the zero-day testing systems can
> give the commit a spin.  So that means it's not just enough to throw a
> bunch of git hook scripts on master.kernel.org, because maintainers
> will need to have to configure, if not customize, them.

Ack.  Is there room for a convention here?  e.g. dev opts in, which
means that tree follows a certain branch naming convention.

> This leads to my second concern which is:
> 
> 2) Having shell scripts run on master.kernel.org can be a significant
> security concern; this is *especially* true if customization or
> configuration is required.

Is it worse for an attacker to execute code as a designated,
unprivileged user on the server, with access to copies of repos?  Or, to
execute code as a dev on a dev box?  The latter potentially giving
access to ssh and pgp keys.

I'd argue that it's Konstantin's and David's jobs to keep those servers
locked down and properly configured.  Devs and dev boxes are held to no
such standard, and yet contain much more critical resources.

We can easily detect and recover from an attacker changing a repo on the
server.  The PGP signed tag will fail.  How do we detect and recover
from, say, Greg or Linus' machine being compromised?

This threat model assumes an intentionally malicious attacker whose goal
is to get bad shit into the kernel and pass git tag verification.

thx,

Jason.


More information about the Ksummit-discuss mailing list