[Reproduce-devel] [bug #56724] required installing of non-native openssh is a security bug

[Boud Roukema]

URL:
  <https://savannah.nongnu.org/bugs/?56724>

                 Summary: required installing of non-native openssh is a
security bug
                 Project: Reproducible paper template
            Submitted by: boud
            Submitted on: Tue 06 Aug 2019 08:18:39 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

A Turing machine can, by definition, do anything that any other Turing machine
can do. This is why setting bounds on what a system or subsystem can do is
crucial.

While a user-level reproducibility script in the sense used here very much
uses remote Internet resources, adding further means of internet access,
especially that _appear_ to be secure, is an obvious field open to security
flaws.

Installing a "user-level openssh" package seems highly risky to me. Novice
users will often type passwords when requested to do so, without taking the
effort to check why they are being asked to and by what piece of software.

In this case, ssh is only needed if the user runs openmpi across a cluster
with several machines. For a heavy program, that would indeed be a likely
usage scenario, but for a small enough (cpu/memory) program, a single machine
can be used with openmpi, with 


mpirun -n 1 ...


Doing exact reproducibility with openmpi seems to me a long term goal
(guidelines and examples for openmp and openmpi will be needed); I think for
the moment, it would be safer to have a default policy of _not_ installing
openssh.

As an example, exact reproducibility with mpgrafic is done here using mpi
(usually openmpi) on a single thread:

https://salsa.debian.org/debian-astro-team/mpgrafic/blob/master/regression-test-0.3.7.9.sh

This has successfully passed debian automated testing on multiple machines for
over two years (successfully detecting bugs on related packages):

https://tracker.debian.org/pkg/mpgrafic

Here's a concrete proposal:

PROPOSAL: Any mpi packages should (i) allow the use of


mpirun --mca plm_rsh_agent /bin/false ...


when openmpi is the chosen mpi implementation (this is a safe default, it's
the preferred debian implementation);

and (ii) may set openssh as a "recommended" dependency only, not a "required"
dependency.

Probably we can set openmpi as our required implementation: we're not aiming
at a general software distribution, we're aiming at one feasible, high-quality
reproducibility system. So (i) should maybe become "must use in any scripts"
rather than "should allow".


SEE ALSO:
https://savannah.nongnu.org/bugs/index.php?56723
https://lists.debian.org/debian-science/2015/10/msg00032.html
https://www.open-mpi.org/faq/?category=rsh





    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56724>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/