launchpad-dev team mailing list archive

Thread
Date

Re: Build From Branch, or BFB

To: Julian Edwards <julian.edwards@xxxxxxxxxxxxx>
From: James Westby <jw+debian@xxxxxxxxxxxxxxx>
Date: Wed, 07 Oct 2009 16:23:08 +0100
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <200910071511.46021.julian.edwards@canonical.com>
User-agent: Sup/0.8.1

On Wed Oct 07 15:11:45 +0100 2009 Julian Edwards wrote:
> Can you explain why this makes you uncomfortable?  It implies that you already 
> have a problem with this for other LP operations maybe?  Can we do anything to 
> help with this?

I do a little. Given that there is no review of new keys added to ~ubuntu-dev
members you could gain upload rights to Ubuntu by compromising either my
session, or by guessing by LP password. This increases the attack surface
compared to just securing a GPG key, which has established practices and
good education about the importance of doing so.

/me goes to change his LP password

> > Should we perhaps be looking at a different trigger mechanism, at least
> > for the distribution, such as an alternative .changes file format
> > that specifies the needed parts.
> 
> From my point of view, the sheer convenience of doing these uploads from the 
> web is going to be amazing.  I feel somewhat uncomfortable about doing 
> something like this as IMO it communicates that we don't trust the LP 
> authentication.

Well, perhaps we shouldn't, that's why I would like to have the
discussion.

As I said, LP does better at this than a lot of other sites, by e.g.
forcing SSL for all communication. However, I'm still nervous about switching
one well-established and well-understood mechanism for another that isn't
so well-established and well-understood in Ubuntu development.

> > This is perhaps being overly paranoid, given that all that stops you
> > from adding a new GPG to my account and uploading with that right
> > now is the cookie/password protection. Also, removing packages
> > from the distribution, and when/if copying packages to the distribution
> > from other archives is possible, they would have the same protection.
> > Even so, I would like to have a discussion with the usual suspects
> > about this (elmo, cjwatson, kees, etc.), perhaps at UDS?
> 
> Yes, this would make a great UDS session.  Would you be able to set that up?

I can do that.

Thanks,

James

References

Build From Branch, or BFB
From: Julian Edwards, 2009-10-06
Re: Build From Branch, or BFB
From: James Westby, 2009-10-07
Re: Build From Branch, or BFB
From: Julian Edwards, 2009-10-07