On 08/30/2013 10:01 PM, Jay Greguske wrote:
I'd like to see some elaboration on why VMs instead of chroots
would be
required. I can draw my own conclusions (security) but I'd like to see
them listed out first before continuing the discussion.
Koji builder has somewhere stored certificate. This certificate authorize him to Koji
hub.
Whoever has this certificate can act as Koji builder.
Koji builder builds using mock, which means in chroot. There are known some exploits,
which allows you to run out of
chroots.
Now imagine evil package, which will run out chroot, read that certificate and deliver it
to attacker.
He now can build evil builder and start building modified packages.
While there are known exploits to affect host machine of VM, it is definitely harder than
running out of chroot.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys