[Xapian-discuss] How can I trust the xapian openSUSE packages?

Marcus Rueckert darix at web.de
Mon Nov 19 20:51:22 GMT 2007 

hi,

the xapian package would be mine, and the mail reminds me to update the
package.

On 2007-11-19 18:58:47 +0100, Gregor Schmid wrote:
> sorry to bother you with this, but I couldn't find a satisfying answer
> to the question at openSUSE or in the xapian mailing list archives.
> 
> In short, I need to convince our provider to install the SUSE xapian
> packages on the server on which they are hosting our website as well
> as those of other customers. Due to that they are very concerned about
> security.

what provider is that?

> The SUSE RPMs for xapian are provided on the openSUSE build service
> and though I'm pretty sure that they were placed there by some of the
> xapian developers, it is not clear how our provider can verify that.
> On the Build Service website there is talk about a trust relationship
> and a rating mechanism, but none of this seems to be implemented.
> 
> If whoever is making the SUSE RPMs available reads this message, can
> you please explain whether there is any mechanism in place that
> ensures that those packages come from you and not from any potentially
> malicious user that creates an account at the SUSE Build Service?

the buildservice is just a service to build the package.
it always matters who maintains the package. atm you can only see it, if
you have a buildservice account yourself, will bring that up on the
meeting tomorrow. so in the case of xapian it would be me.

i work for suse as packager.

> If there's no such mechanism, would it possible for you to assist
> verification by, for example, publishing an MD5 hash for the latest
> packages on the xapian.org website? Our provider would be willing to
> trust a package downloaded directly from the authors, i.e.
> www.xapian.org and posting such a hash for externally provided
> packages could create the same level of trust for those.

the packages and the pkg meta data are protected with gpg signatures.
atm it is a shared gpg key for all buildservice projects. this will be
changed in the near future.

you could download our source rpm and verify the checksum of the
tarball. the spec file has the build instructions we used to build the
package.

> Ideas, alternative suggestions, fedback from other users of the xapian
> SUSE RPMs etc. would be greatly appreciated.

in another reply it was suggested to build the rpms yourself with
rpmbuild. the spec is slightly different from mine (suse packaging
policies) and is not build in a clean chroot [1] like our rpms.

hope this helps

    darix

[1] actually those are xen instances now. a new xen vm for each build
job.

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org

More information about the Xapian-discuss mailing list