Build Service/Concepts/Trust

From openSUSE

Status of this document

This is currently just a brain dump from Adrian to get a discussion started.

This is currently focused on the openSUSE Build Service, because this is the part where it is most needed, but it should be also usable in other infrastructure parts of openSUSE.

This document does not describe the trust implementation.

What is trust needed for in the OBS ?

The openSUSE Build Service (OBS) is the Build Service instance running at opensuse.org. This service is meant to be as open as possible for every developer and user. This shows up in the fact that everybody with internet access can start to build a package immediately (an account needs to be created first, but it is immediately available). The built package is also immediately available for everybody after successful build. Every user can find these packages behind http://software.opensuse.org/search .

Software, built in classic rpm or deb packages, gets installed with root permissions and can get root permissions and can do basically everything with your system. But also without root permissions, software can do evil things like sending your private data to the public or to single persons, without you noticing it. Think about all passwords or credit card numbers you type into your system.

To protect yourself, you shouldn't download software from anywhere, actually you should not use any software at all. As a consequence, you shouldn't use a computer at all, not speak at all, actually your life in general is already a risk.

You may consider to stay alive, you may even decide to download software, but how can you decide what you can trust enough and where you do not like to take the risk? The openSUSE project wants to deliver a system that helps you here.

Kinds of trust

In general, the trust in a certain software comes from the people behind it. If we can trust them, we can trust their software.

• We need to trust them not to do something bad by intention, like writing code which scans all your typing on the keyboard or activating the built-in microphone and sends all data to them.

• A nice person, strictly believing in the holiness of Tux and Konqi for its life, never done ever anything which even could to be discussed as maybe bad does not exist. And even when it does exist, it may still be a person which is not able to work in a way that it does not hurt others. Hey, what is a deleted hard disk between friends.

What is the goal?

The goal should be that we get as much software under the highest possible trust level. Therefore the process to get more trust needs to be attractive for most people. Since a group of people can never agree on a single system that easy, we should consider to offer different possible ways.

How can we build up trust

Please keep in mind all this is intended to be optional and not a requirement. The consequences would just be less users of your stuff, less direct write access to some parts and your stuff will have it harder to become part of an openSUSE distribution. But everybody who wants can still work with the content you delievered.

Make rules in the guiding principles

If a user accepts the rules in the guiding principles, he does say at least that all this is not a joke for him. Of course he can simply lie or be drunk, so this is not strong (gives 1 point on my personal scale).

Other users like his work

A person who did already a number of good things for a while for the project, might get rated by others. (Can gives up to 20 points on my scale)

The user sends in his personal data in a trusted way

We do not need to invent new rules to disallow doing something bad to others by intention. This is more or less forbidden in each state on this planet, independent of the rules the openSUSE project has. A person who does steal credit card numbers can get sued in his state. However, one needs to know who this person is to be able to find her or him. Therefore it is desirable that we have mechanisms to register in a way that states the name and address in a trustable way. Sidenote: A SUSE/Novell employee has done this with his work contract, but others shall be able to get on the same level. (gives 50 points on my personal scale).

The user signs to be reactive and deliver updates for his stuff

A user signs to deliver for example security updates for his software. He shall be able to revoke this later, what would reduce the trust level than again. (gives 5 points).

The user signs to be reactive and deliver updates for his stuff for defined time

A user signs to deliver for example security updates for his software for a certain time frame under any condition. He shall be able to revoke this later, but this requires a warning X years/month before. (gives 20 points).

Project/Company contracts

A group of people (this can be an open source project or a company or ???) signs a contract to be reactive on reports and handle upcoming issues for a defined timeframe. If an individual does leave the group, the group of people will replace her or him. (gives 40 points)