ORC Owl Logo 2  

Owl River Company

 
  Your IP is: 54.91.9.248

Independent RPM packaging project, and Owl River SRPMs, and tracking system meta-information project


First, there was 'contrib.redhat.com' -- but it was too hard for an end consumer to know the quality of the packagings, and for the packager to address updated releases and security matters.

Then there was the Matthias Saou's
freshrpms.net and Bero (Bernhard Rosenkraenzer)'s archive. Bero has moved to new digs with "Ark Linux" and each have a fine product.

The Owl River archive has had the bits and pieces which leak, unsigned, from our commercial packaging for clients.

In late 2002, Warren Togami proposed and worked on a public 'community based' independent RPM packager's infrastructure -- a 'Fedora project'. Several of the independent packagers were drawn to it. But, as of the end of April 2003, methodology items had still not been ironed out. See: Fedora website Eventually, with Red Hat discontinuing its supported 'Red Hat Linux' product, and exiting the boxed consumer product market, Togami announced a 'merger' of the formerly non-affiliated Fedora.US project into Red Hat control. He also took a position with them around that time.

In support of the Fedora project, we participated in process, and published several 'thought piece' items. Formal and systematic pieces for comment, not enumerated or linked at the Fedora project website include the following:
  1. Commentary on the initial Fedora proposal - (mailing list copy)
  2. A proposed build flow and QA document for comment (revised) - (mailing list copy - initial post) - See also: ftp://ftp.owlriver.com/pub/local/ORC/packaging for ORC_flow_build which is a build wrapper script, designed to catch the relevant build environment variables and details, in a fashion adequate for a remote 'QA reviewer' to reproduce and diagnose non-conformances and build environment issues by a 'Packager'.
  3. Response to Update - (mailing list copy)
  4. Response to 'Overlaps' - Fedora Package Wish List - (mailing list copy)
  5. rhel-rebuild build systems outline

'A Scout is trustworthy, ...'

audio quid ueteres olim moneatis amici,
"pone seram, cohibe." sed quis custodiet ipsos
custodes? cauta est et ab illis incipit uxor. 
I hear always the admonishment of my friends:
"Bolt her in, constrain her!" But who will guard
the guardians? The wife plans ahead and begins with them! 
-- Juvenal's Satire 6, p. 346–348, vice
Wikipedia

Great care is needed, as defenders of complex systems, by definition can only play defense; an attacker only has to score 'once':
  1. Ken Thompson's Trusting Trust piece - August 1984, responding to: "How the Air Force cracked Multics Security"
  2. D Wheeler response - still an open issue, thirty years later; proposed for Fedora and shot down
  3. GnuPG -- A few minutes on using detached and clearsigned content -- How can we know the person who asserts a thing, actually did say it?

... introspection

We compile some compromises in FOSS space, as it does no good to avert one's eyes; how one responds is important, as 'security is a process of risk control.'
  1. 2000 Sun Certificates (2) compromise
  2. 2002 sendmail compromise
  3. 2002 OpenSSH compromise - advisory
  4. 2003 Linux kernel CVS repository direct alteration, leapfrog-ed in from a hacked box at a university
  5. 2003 Gentoo rsync mirror compromise -- remote exploit via rsync; post mortem
  6. 2003 Signature checking need - Unhappily - GNU archive (local .pdf); (prime)
  7. 2003 Signature checking need - Unhappily - Debian CVS (local .pdf) (prime)
  8. 2004 Gnome.org (Red Hat's and others' response to the then non-Free qt)
  9. 2004 and later Several Google compiled
  10. 2007 Ubuntu compromise
  11. 2008 Red Hat trap-doored code presented and signed
  12. 2008 Fedora signing server compromised
  13. 2008 World Bank interior network compromised - || archive items: Fox story (PDF), Bank internal website screenshot (PDF)
Sensibly, such care is driven in part by having defined process, duly critiqued, and spot tested. Some complain that too much process gets in the way of production, but the counter-comment echoes that familiar precept that 'Security is a Platonic ideal: to be strived for, but not an absolute which can be attained.'

We remain interested in several areas, and have re-focused back to our primary interest in clean RPM packaging and automated builds. We have found a good fit in the Community Au-courant Operating System - http://www.caosity.org/, led by Greg Kurtzer, in line with having a target for our efforts. We also are involved with Yellow Dog Linux, and the Sparc Aurora project to the same effect.

We hope to be able to take virgin sources, provable signatures, .spec files, hint files, rpm, yum, a buildfarm, and an ftp server, and ultimately spit out nightly make world test .ISO images, for loopback mounting, and PXE based network installs, updates, and upgrades.

To these ends, we will continue to publish this page and act as a clearinghouse for certain meta-archive information.

Right now, the best existing approach in RPM-based Linux distributions seems to be the informal network of independently packaged freely-available archive of SRPMS -- Source RPM's -- which should contain all needed parts for clean build. Most of the distribution packaging houses are packaging GPL'd or other OSI license compliant code, with a concomitant source code release (including patches) requirement (GPL) or convenience (BSD-ish licenses). If the distribution or packager is based on the RPM packaging system, it is easier to release the SRPM than to decompose it into parts, and solve namespace conflict issues. And so, SRPMs are the most common delivery mechanism for source code.

(Please note that we do not minimize the BSD tarball 'ports' and 'make world' system; nor 'pkgtool', '.deb', depot, or related systems -- they are just not the most interesting branch for facility in automated rebuilding. Usually five minutes with a tarball and a template file, and a skilled .spec-file packager can have a 'rough draft' SRPM in process.)

If a given SRPM does not build cleanly, there is a bug which needs to be reported, at least to the distribution packager, if not the upstream developer or maintainer of the underlying code. Building a community infrastructure to ensure patching is not lost, and when security is an issue, that an alternative patch, pending an 'official' main-line fix is also part of the dull stuff which will improve the Open Source breed.

We have recently found: #rpmbuild renamed to #packaging on irc.freenode.net and hang out there. Primarily, however, we are at: #centos in that facility.
Major independent packagers we watch or are aware of (alphabetical order by last name)
Ronny Buchmann  Vlugnet  http://vlugnet.org/
Rex Dieterrdieter math.unl.edu http://www.math.unl.edu/~rdieter/Projects/
-- Also KDE for Red Hat
http://kde-redhat.sourceforge.net/
Matthew Hall  http://people.ecsc.co.uk/~matt/repository.html
Rudolf (Che) Kastlche666 uni.de http://newrpms.sunsite.dk
Fernando Lopez-Lezcano  PlanetCCRMA  http://www-ccrma.stanford.edu/planetccrma/software/
Panu Matilainenpmatilai welho.com http://koti.welho.com/pmatilai/misc/
Dams Nade (anvil)rpm.livna.org http://rpm.livna.org/
David Nečas (Yeti)yeti physics.muni.cz http://trific.ath.cx/resources/rpm/
Matthias Saoumatthias rpmforge.net http://freshrpms.net
Ville Skyttville.skytta iki.fi http://cachalot.ods.org
http://cachalot.mine.nu/1/
Ralf Spenneberg http://www.spenneberg.com/index.php
Thomas Vander Stichelethomas urgent.rug.ac.be http://thomas.apestaart.org/projects/
Axel ThimmAxel.Thimm physik.fu-berlin.de http://atrpms.physik.fu-berlin.de/
Dag Wieersdag wieers.com http://dag.wieers.com/home-made/

CERN Linux  http://linux.web.cern.ch/linux/
Fermi Linux  http://www-oss.fnal.gov/projects/fermilinux/
Gstreamer  http://gstreamer.net/
JPackage  http://www.jpackage.org/
KRUD  http://www.tummy.com/krud/
Owl River Company  ftp://ftp.owlriver.com/pub/local/ORC/
Wirex  http://www.wirex.com/products/immunixos/

We may have missed one of which you are aware. Please let us know the details.

Additional distribution packagers we watch or are aware of (alphabetical order)
cAos  http://caosity.org/
fedora - Red Hat sponsored  http://fedora.redhat.com/
rhel-rebuild  http://www2.uibk.ac.at/zid/software/unix/linux/rhel-rebuild-l.html
Rocks  http://rocks.npaci.edu/
whitebox  http://www.beau.org/~jmorris/linux/whitebox/
Vermillion  http://www.kainx.org/vermillion/ -
also: Mezzanine http://www.kainx.org/mezzanine/

Centos oriented adjuncts 
centosplus within centos.org
dag.wieers.com/packages/
centos.karan.org
dev.centos.org
ftp.owlriver.com

More archival matter:


Jump Links:    top of page   |   independent packagers   |   trust   |   compromises   |   alternative distributions   |   archival