On Tue, 7 Apr 2020 12:47:33 +0200 Thomas Deutschmann <whi...@gentoo.org> wrote:
> Sure, that could have banal reasons like "No one audited the Linux > version yet". But in security you don't issue warnings if you aren't > sure. Because if you make false statements people will no longer trust > you. But trust is everything. Agree. In line with my other suggestions with exposing this via in-repo meta-data, there probably should be a facility in a future EAPI that allows one to both know about this /class/ of risk, and address it. So for instance: ACCEPT_ASPECTS="bug:45678 bug:14678 cve:COVID-19 trust:proprietary" Or something. The gist being that say, zoom could have: > net-im/zoom trust:proprietary As could anything that is both shipped as a binary blob, not produced by somebody on gentoo staff, and has no source available. For instance, if the source is available, but its a 3rd party binary, there could potentially be a step in shipping that puts unaudited code in the binary, so its not smart to say its entirely as-bad as something that is unaudited, but *some* caution should be taken. If a user locally wants to, by policy, avoid all packages that are either unaditable, or have some weaknesses around their auditabilty, we should provide tools to do that. Syntax above not expected verbatim, just food for thought, but its worth mentioning that bug/cve/trust levels don't always map 1:1 with packages, and also, that the nature of this metadata is that it SHOULD NOT be in the ebuild itself, as it is inherently "repo based", the installed values of these are worthless. Running with the idea a bit here: It would even be possible for a 3rd party overlay to contain *only* a trove of these aspects, and then a controlled deployment could have a local REQUIRED_ASPECTS="trust:team-sec" ( where team-sec is defined by said overlay ) Which requires all packages you install on your system have some sort of metadata indicating that they've been signed off by team-sec. ( either the whole cat/pn, or some versions there of )
pgpFBOb9vl43a.pgp
Description: OpenPGP digital signature
