[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Reproduce-devel] [bug #56724] required installing of non-native openssh
From: |
Boud Roukema |
Subject: |
[Reproduce-devel] [bug #56724] required installing of non-native openssh is a security bug |
Date: |
Tue, 6 Aug 2019 16:18:41 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 |
URL:
<https://savannah.nongnu.org/bugs/?56724>
Summary: required installing of non-native openssh is a
security bug
Project: Reproducible paper template
Submitted by: boud
Submitted on: Tue 06 Aug 2019 08:18:39 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
A Turing machine can, by definition, do anything that any other Turing machine
can do. This is why setting bounds on what a system or subsystem can do is
crucial.
While a user-level reproducibility script in the sense used here very much
uses remote Internet resources, adding further means of internet access,
especially that _appear_ to be secure, is an obvious field open to security
flaws.
Installing a "user-level openssh" package seems highly risky to me. Novice
users will often type passwords when requested to do so, without taking the
effort to check why they are being asked to and by what piece of software.
In this case, ssh is only needed if the user runs openmpi across a cluster
with several machines. For a heavy program, that would indeed be a likely
usage scenario, but for a small enough (cpu/memory) program, a single machine
can be used with openmpi, with
mpirun -n 1 ...
Doing exact reproducibility with openmpi seems to me a long term goal
(guidelines and examples for openmp and openmpi will be needed); I think for
the moment, it would be safer to have a default policy of _not_ installing
openssh.
As an example, exact reproducibility with mpgrafic is done here using mpi
(usually openmpi) on a single thread:
https://salsa.debian.org/debian-astro-team/mpgrafic/blob/master/regression-test-0.3.7.9.sh
This has successfully passed debian automated testing on multiple machines for
over two years (successfully detecting bugs on related packages):
https://tracker.debian.org/pkg/mpgrafic
Here's a concrete proposal:
PROPOSAL: Any mpi packages should (i) allow the use of
mpirun --mca plm_rsh_agent /bin/false ...
when openmpi is the chosen mpi implementation (this is a safe default, it's
the preferred debian implementation);
and (ii) may set openssh as a "recommended" dependency only, not a "required"
dependency.
Probably we can set openmpi as our required implementation: we're not aiming
at a general software distribution, we're aiming at one feasible, high-quality
reproducibility system. So (i) should maybe become "must use in any scripts"
rather than "should allow".
SEE ALSO:
https://savannah.nongnu.org/bugs/index.php?56723
https://lists.debian.org/debian-science/2015/10/msg00032.html
https://www.open-mpi.org/faq/?category=rsh
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?56724>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [Reproduce-devel] [bug #56724] required installing of non-native openssh is a security bug,
Boud Roukema <=