launchpad-dev team mailing list archive
Mailing list archive
Re: Build farm and the slave build id menagerie
Jonathan Lange wrote:
The plan sounds good to me. It seems that you are missing key
information on what the actual threats and security requirements are.
Absolutely. In fact, if anyone manages to exploit this for an attack, I
propose we hire them.
I don't want to block what seems to be a useful simplifying change,
but were I you I'd consult James Troup, LaMont Jones or do some threat
That's an interesting suggestion. I am reluctant however to approach
these people with such an open-ended question. From where I'm standing,
it'd be better for someone with a broader understanding of Soyuz to do
that and not waste their time so much. For a thrill, try asking any
expert if this, like, computer code we have is, like, secure or not that
you don't fully understand but it does stuff, like, with servers and
such and could they give details!
But one thing we do know is, security doesn't happen by accident. The
existing mechanism floats somewhere between belt-plus-suspenders and a
chastity belt, and even if it's accidentally secure in some ways today,
the code will evolve to erode that.
So I proposed a replacement that is not perfect but (0) simpler, (1)
more secure than what we have, (2) deliberately there to produce a
hard-to-guess string, and (3a) easy to gut if we decide it doesn't
improve our security after all or (3b) easy to improve in isolation if
we decide that it does. I did that specifically so that the open
question would be no reason not to do it; I'm grateful that you picked
up the same banner. :-)