← Back to team overview

launchpad-dev team mailing list archive

Re: Build farm and the slave build id menagerie


Jonathan Lange wrote:

The plan sounds good to me. It seems that you are missing key
information on what the actual threats and security requirements are.

Absolutely. In fact, if anyone manages to exploit this for an attack, I propose we hire them.

I don't want to block what seems to be a useful simplifying change,
but were I you I'd consult James Troup, LaMont Jones or do some threat

That's an interesting suggestion. I am reluctant however to approach these people with such an open-ended question. From where I'm standing, it'd be better for someone with a broader understanding of Soyuz to do that and not waste their time so much. For a thrill, try asking any expert if this, like, computer code we have is, like, secure or not that you don't fully understand but it does stuff, like, with servers and such and could they give details!

But one thing we do know is, security doesn't happen by accident. The existing mechanism floats somewhere between belt-plus-suspenders and a chastity belt, and even if it's accidentally secure in some ways today, the code will evolve to erode that.

So I proposed a replacement that is not perfect but (0) simpler, (1) more secure than what we have, (2) deliberately there to produce a hard-to-guess string, and (3a) easy to gut if we decide it doesn't improve our security after all or (3b) easy to improve in isolation if we decide that it does. I did that specifically so that the open question would be no reason not to do it; I'm grateful that you picked up the same banner. :-)


Follow ups