Opensuse build service. What about security and risks?

I just finished reading these posts: Re: [opensuse-buildservice] How secure is openSUSE build service?
I found it worring.
There are some packages that only can be found in the build service. I myself have installed some of them, perhaps 1, 2 or 3. One of those that I haven’t used later but I recall I only got from there is Qsynth.
Now what is really the truth about the opensuse build service. Is it insecure? Does it have any security checks? Is it risky to use its packages?

(If there is anybody out there who really understands the structure of opensuse system and that of the build service itself, such as an adiministrator, developer or something like this, please give feedback to this question.)

On 2011-04-26 23:36, fernando a martin wrote:
> I just finished reading these posts: ‘Re: [opensuse-buildservice] How
> secure is openSUSE build service?’

There is a buildservice sub forum here - ask them :slight_smile:

Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 04/26/2011 11:50 PM, Carlos E. R. wrote:
> There is a buildservice sub forum here - ask them :slight_smile:


[openSUSE 11.3 + KDE4.5.5 + Thunderbird3.1.8 via NNTP]
Q: What do you get if you divide the circumference of a jack-o-lantern
by its diameter?
A: Pumpkin Pi!

Yes, there definitely is a risk, and the risk is not only of a theoretical nature.

I don’t see a great risk for someone spreading malware like rootkits via the OBS, because an attacker usually is interested in spreading his work as widely as possible; a repository being used by a couple of hundreds of users (and that is an optimistic assumption) does not seem to be an appropriate way to do so.

The risk is rather an unintentional one: many home:-repos are managed by unexperienced builders who produce heavily flawed packages full of bugs. I haven’t tried them all (and generally avoid them), but I suppose about 90% of the home:-repos contain utter trash. The post you linked contains a very simple truth:

You have to trust the project you add the URL for.

If you do not trust the project: don’t use it. If you don’t know whether to trust it: don’t use it. There is no way to find out about the quality of a package in advance, it’s all a matter of experience. I for example trust the Packman-team, because they are established and have been building packages for many years now. I even know some of the builders, have read comments in various forums by them, so I had an opportunity to make up my mind. I do trust MalcolmLewis’ home:-repos because I read his posts here and note that he is very cautious about what he offers. And I have made some very bad experiences when I was less experienced and still willing to give pretty much every source a shot.

If you can not find a certain package in a trusted repository, ask someone you trust.

I’m a Windows user and I need a CD burning software but I have no money and can’t pay for Nero. I found this one in a random website: CDBurnerXP: Free CD and DVD burning software. It’s safe?

No it isn’t!!! I don’t know the first thing about the author. You trust people, not software, and the rules to trust people are the same everywhere… they are not any different for computers.

“security checks”? What security checks you want to apply? There is no real difference between malware and “normal” software, it’s just software that does what its programmer programmed.

And please, don’t trust the packages from the official repository more than you trust the people that is involved in putting them there. They are in no way 100% safe. If you didn’t program it yourself, don’t totally trust it.

Well, as for bugs I always have to workaround them. Some widely recognized software have several bugs and we have to live with them until they are fixed. And some never are. My biggest concern is about malicious codes. I know that even developers of distros could do this. But if they did and it was discovered in the sources would it not ruin that distro? Is it very likely that big companies such as novell, canonical and mandriva would ruin their reputation inserting malicious codes in their softwares?
But I also realize that downloading packages compiled by users for opensuse becomes almost the same as downloading softwares from several sites and unknown sources and installing them on windows. Sometimes OBS is still a better option because at least you may search for anything in one place and it’s free, not just demos or full of advertising.
And it’s not only a flaw of opensuse. Debian is known to have the largest number of packages. But some of them remain a long time without being updated in debian and sometimes in ubuntu also. Once in ubuntu I wanted to get rid of some bugs of rosegarden 10.02 but they never updated it so I downloaded a new version from a ppa of a user who always kept it up to date. Later I worried if it was secure but soon I moved to opensuse and forgot about it all. Now the same worry comes again about the OBS.
I know that if I become paranoid with security I will indeed become crazy because there’s no 100% security in computing. But I’m just trying to come to reasonable conclusions of what may be usable, unusable, low risk, high risk and so on. Is it possible to, at least to some extent, to use the softwares I need with a low risk of malicious attacks?

Nobody can give you a guarantee for that. What I thought up (about the OBS simply being a not so very attractive platform to share malware) seems logical to me. After all you have to make your own choices. What I find particularly risky is moving ones own responsibility to something else, like for example a personal firewall, a virus scanner or whatever. The best protection is your own brain (when used).

You seem on a good way by trying to find out about security risks, but I am afraid you still have to decide yourself. In theory, the OBS would be a fine way of spreading malicious code, true, yet it never happened (as far as we know). And that seems to prove the logical assumption I made.

I suppose the chances of a distributioner including malware is even lower, for the reasons you mentioned. I can’t really think of a reason why a team would do that anyway.

Well. It seems that using OBS is very similar to downloading a open source software from anywhere on-line, installing and using it.
If there are no reports about malware in OBS it’s likely that the risk is low. Otherwise we may start to worry.
After all, since this post have recieved a reasonable number of views I will leave a question here if anyone has an answer:

Does anyone know any verified report about malware in opensuse build service? If so, what and from what source it was verified?