Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Question about Unspported openSUSE Repositories - Are they secure?

  1. #1

    Default Question about Unspported openSUSE Repositories - Are they secure?

    When looking for an application that is not in the default opensuse repositories,
    I go to software.opensuse.org: Search to get them e.g. fluxbox, keepassx

    This warning message is shown before showing the packages:
    Please be aware that the following packages are from unofficial repositories. That means they are not reviewed by openSUSE and may contain unstable or experimental software.

    I am fine with unstable or experimental software.
    However I am curious/concern if these repositories are as secure as the main repositories (since openSUSE declared that they had not reviewed it).


    Can we safely assume that these are as secure ?

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    On 2013-01-31 11:26, michalng wrote:
    > I am fine with unstable or experimental software.
    > However I am curious/concern if these repositories are as secure as the
    > main repositories (since openSUSE declared that they had not reviewed
    > it).


    There is no way to know.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  3. #3
    dd NNTP User

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    On 01/31/2013 11:26 AM, michalng wrote:
    > Can we safely assume that these are as secure ?


    no. they _might_ be a hot-bed of rootkits...

    but, to the best of my knowledge nothing like that has ever been found,
    reported or even hinted at..

    personally, i shy away from the /home accounts (except for those who i
    recognize as long time contributors, and therefore trust, like:
    <snip>/repositories/home:/malcolmlewis:/<snip> and
    <snip>/repositories/home:/please_try_again/<snip>)


    --
    dd
    http://tinyurl.com/DD-Caveat

  4. #4
    Join Date
    Mar 2009
    Location
    United States
    Posts
    612

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    Yeah. I leave a warning on my obs repository stating that everything here is experimental and will not have any help if it breaks.

  5. #5
    Join Date
    May 2010
    Location
    Space Colony Lagrange Point 22° à, 77° Ƅ, 56° ɤ, 99° ɜ
    Posts
    3,166

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    Don't the obs directories and download.opensuse.org get scanned every now an then :-)
    GNOME Version 3.20.2
    openSUSE Leap 42.3 64-bit

    www.vazhavandan.blogspot.com

  6. #6
    dd NNTP User

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    > Don't the obs directories and download.opensuse.org get scanned every
    > now an then :-)


    the official directories are closely monitored and protected by
    certificates and hash..

    but the /home directories: scanned by what/who?

    --
    dd

  7. #7
    Join Date
    May 2010
    Location
    Space Colony Lagrange Point 22° à, 77° Ƅ, 56° ɤ, 99° ɜ
    Posts
    3,166

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    Quote Originally Posted by dd View Post
    > Don't the obs directories and download.opensuse.org get scanned every
    > now an then :-)


    the official directories are closely monitored and protected by
    certificates and hash..

    but the /home directories: scanned by what/who?

    --
    dd
    Forgot the question mark in the post. It seems any malware and come and attach itself with packages in download.opensuse.org
    GNOME Version 3.20.2
    openSUSE Leap 42.3 64-bit

    www.vazhavandan.blogspot.com

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    On 2013-01-31 18:16, nightwishfan wrote:
    >
    > Yeah. I leave a warning on my obs repository stating that everything
    > here is experimental and will not have any help if it breaks.


    That's nice of you. But how can we see that warning when adding a repo
    with, for instance, "zypper ar ..."? Does it show?

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  9. #9

    Default Re: Question about Unspported openSUSE Repositories - Are they secure?

    Quote Originally Posted by nightwishfan View Post
    Yeah. I leave a warning on my obs repository stating that everything here is experimental and will not have any help if it breaks.

    Breaking is okay, as mentioned previously, there's a warning message shown before showing the packages:
    Please be aware that the following packages are from unofficial repositories. That means they are not reviewed by openSUSE and may contain unstable or experimental software.


    My concern is more on security.
    Since the officialy message only mentioned breakage, does it implies that the security is okay?


    For example, when looking for keepassx, definitely security is important since it holds all passwords for its users.


    Using keepassx as an example again:

    this repo looks official/safe/secure this repo maybe, depending if we know the user
    But if the search is done through an officialy channel provided by openSUSE (software.opensuse.org: Search),
    and the warning is only on breakage and not security,
    users like me may assume that the repos presented are secure

  10. #10
    Join Date
    Nov 2010
    Location
    BEIJING,CHINA; SHANGHAI,CHINA
    Posts
    664

    Default 回复: Question about Unspported openSUSE Repositories - Are they secure?

    It _depends_ on how you define "security".

    1. There're three 3 sets of repositories in openSUSE:

    * Official Repositories for User: OSS and NON-OSS
    * User Home Repositories: A user's own playground starting with home:xxx
    * Official Devel Repositories for Dev: All others.

    Server Side: They're all on the same infrastructure (OBS Server and d.o.o Server) and under the same protection by SuSE (We can't, eg, just protect an OSS directory and let other stuff on the same server exploded, because such action is harder to achieve and is also a potential threat to our servers.

    Client Side: Their packages are all protected by the automatically created GPG keys to prevent man-in-middle attack or transmission loss. That's why you have to import an GPG key before adding a repository. If something is changed, YaST or zypper will warn you. This is also the common technology used by Distributions to deliver packages, which is, to make the one you get the same as the one on server.

    So literally, if you define security as the security in "security service", All repositories openSUSE provided and the ones openSUSE provided infrastructure only, are under a same level. If there're ways to attack "unofficial", "unstable", "experimental", "unreviewed" repositories, openSUSE official ones can't survive either.

    2. If you define "security" as "Don't deliver malware".

    It hardly can be although it still can. But such action can't exist long. Because the cracker has to upload source code to build on OBS (we have a blacklist preventing shipping binaries), I don't know if SuSE have security scan for uploaded sources, but it's too easy to find such behaviors that no one will actually choose to implement it.

    3. If you define "security" as "Don't brick my system".

    It can.

    home repositories are users' playgrounds, you don't know if they are packaging masters or they know nothing. I don't know either. That's why we warn you "experimental".

    devel repositories are developers' playgrounds, we make less mistakes than users, but we still make mistakes, we introduce bugs. Even in Factory there're also a lot of unknown bugs existing. The procedure from devel repo to factory repo can only eliminate packaging flaws. But as there are more bugs in devel repositories than factory repository, we warn you "unstable".


    Hope it helps

    Marguerite
    Last edited by MargueriteSu; 01-Feb-2013 at 07:50.
    Describe questions in details. Google the 'broken application + error message' first

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •