From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Sean Hudson <sean_hudson@mentor.com>,
Paul Eggleton <paul.eggleton@linux.intel.com>,
openembedded-architecture@lists.openembedded.org
Cc: openembedded-core <openembedded-core@lists.openembedded.org>
Subject: Re: [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Date: Thu, 22 Jun 2017 10:21:44 +0100 [thread overview]
Message-ID: <1498123304.24449.114.camel@linuxfoundation.org> (raw)
In-Reply-To: <4358098a-6b7b-c5ae-66b2-da2beb052595@mentor.com>
On Tue, 2017-06-20 at 08:27 -0500, Sean Hudson wrote:
> On 2017-06-20 04:30 AM, Paul Eggleton wrote:
> >
> > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote:
> > >
> > > On 2017-06-19 09:05 AM, Mark Hatle wrote:
> > > >
> > > > It would be reasonable to write up a 'best practices' type
> > > > document.
> > > > Explaining that simply due to the nature of building many of
> > > > these things
> > > > will be 'leaked' and where some of them are leaked
> > > > through. (Package
> > > > generation, compilation, etc for instance.)
> > > That sounds reasonable, although, TBH, if someone is adding
> > > credentials
> > > to their SRC_URIs, I would expect that a best practice would be
> > > ignored.
> > > Perhaps adding a detection routine that emitted a warning during
> > > parsing for credentials in the SRC_URI might be
> > > warranted? Thoughts?
> > This might be useful yes. I think the stumbling block is that at
> > the moment we
> > would have to have it off by default and then the user is almost
> > certainly not
> > going to know to turn it on. Perhaps this is another thing that we
> > might check
> > in a "production" vs. "development" mode where the user can easily
> > switch to
> > the former to enable a set of more stringent checks.
> I'm not sure I follow. What would prevent us from turning on a warning
> that detected credentials in a SRC_URI by default? Even with Richard's
> change to prevent the information from propagating into the .ipk, it
> seems useful to notify the user. Personally, I'd like to know if one of
> the recipes I'm using has such information in it regardless of whether
> I'm generating a development or a production image.
We can certainly do this, its technically not an issue. My worry is
that if gives false security feelings since you can easily expose
hostnames or other information as well as credentials. Where do we
stop?
We could go as far as to stop bitbake supporting usernames/passwords in
urls. There are some usecases where that is useful though...
Cheers,
Richard
next prev parent reply other threads:[~2017-06-22 9:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 10:38 OE-Core/Yocto Project's first CVE (CVE-2017-9731) Richard Purdie
2017-06-19 13:20 ` [Openembedded-architecture] " Philip Balister
2017-06-19 13:29 ` Burton, Ross
2017-06-19 13:32 ` Philip Balister
2017-06-19 14:05 ` Mark Hatle
2017-06-19 15:31 ` Sean Hudson
2017-06-20 9:30 ` Paul Eggleton
2017-06-20 13:27 ` Sean Hudson
2017-06-20 13:43 ` Paul Eggleton
2017-06-22 9:21 ` Richard Purdie [this message]
2017-06-19 14:06 ` Mark Hatle
2017-06-27 7:11 ` Sona Sarmadi
2017-06-28 17:38 ` [Openembedded-architecture] " Scott Murray
2017-06-29 22:08 ` Richard Purdie
2017-06-30 20:17 ` Scott Murray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1498123304.24449.114.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul.eggleton@linux.intel.com \
--cc=sean_hudson@mentor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox