GNU bug report logs -
#43770
Geeks think securely: VM per Package (trustless state to devs and their apps)
Previous Next
Reported by: bo0od <bo0od <at> riseup.net>
Date: Fri, 2 Oct 2020 18:03:01 UTC
Severity: normal
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#43770: Geeks think securely: VM per Package (trustless state to devs and their apps)
which was filed against the guix package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 43770 <at> debbugs.gnu.org.
--
43770: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=43770
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Hi,
bo0od <bo0od <at> riseup.net> skribis:
> Actually what i wanted to say but seems i missed it, This security
> design can be engineered and implemented when Guixsd released based on
> GNU-Hurd Kernel. Because its going to be totally new kernel and having
> this feature is without question the best security feature for the
> future of security within operating systems.
>
> Otherwise we gonna fall into the same cycle of trust to outside
> package developers and their codes without preventive mechanism
> against if its malicious one.
>
> If you mean the bug report is not the place for this request, then i
> dont know where because i already discussed it in the IRC channel.(if
> there is somewhere else i can report this just tell me)
It’s great to share your views of what you think should be done from a
security standpoint. There’s little more we contributors can say other
than: yes, we agree, we’re working in this direction, and it’s going to
be a long journey.
What could help though is if people like you come and join us on that
journey. I very much encourage you to play with Guix System and in
particular with the “childhurd” service that has recently landed and
should be of interest to you.
For now I’m closing the bug because as Ricardo wrote, it’s not a bug
report per se.
Thank you,
Ludo’.
[Message part 3 (message/rfc822, inline)]
Hi There,
If we look at current state of packages running inside GNU distros they
are in very insecure shape which is either they are installed without
sandboxing because the distro doesnt even provide that or no profiles
exist for the sandboxing feature and has issues e.g:
- Sandboxing can be made through MAC (apparmor,selinux) or Using
Namespaces (firejail,bubblewrap) But the problem with using these
features it needs a defined/preconfigured profile for each package in
order to use them thus making almost impossible case to be applied on
every package in real bases. (unless a policy which saying no package is
allowed without coming with its own MAC profile, but thats as well has
another issue when using third party packages...)
- Containers are like OS, and to use it within another OS is like OS in
OS i find it crazy and not just that the way that the package gets
upgraded is not reliable to be secure so this wont solve our issue as well.
To solve this mess, is to use virtualization method and to make that
happen is to put each package in a VM by itself means the package gonna
use the system resources without being able maliciously gain
anything.This provide less trust to developers and their code running
within the system.
one of the greatest design made in our time towards security is
GNU/Linux Qubes OS, it uses OS per VM and has VM to VM
communication...etc i highly recommend reading their design to take some
ideas from it:
https://www.qubes-os.org/doc/
Useful refer:
https://wiki.debian.org/UntrustedDebs
https://blog.invisiblethings.org/papers/2015/state_harmful.pdf
ThX!
This bug report was last modified 4 years and 288 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.