Package Management

Package Management

A deeper look

Yunchih Chen

WSLAB May 8, 2017

Overview

● Motivation

● Package manager

● Various roles in package management: developer, maintainer, tester

● Quick overview of Debian

● Package life-cycle in the RedHat family, i.e. Fedora, RHEL, CentOS

● Package security

Motivation

Manaul Installation

Installation wizards like these are not scalable:

Manual Installation

wget https://iperf.fr/download/source/iperf-3.1.3-source.tar.gz tar zxf iperf-3.1.3-source.tar.gz

cd iperf && ./configure && make && sudo make install

git clone https://github.com/django/django.git cd django

sudo python setup.py install

1. What if they have dependencies?

2. What if someday you want to remove them safely?

3. What if they conflict with installed files?

4. What if you can't afford compiling them?

5. What if the install scripts are malicious?

6. What if you want to upgrade them?

Installing a webserver on Ubuntu in a breeze

root@ubuntu:~# apt-get install apache2 Reading package lists... Done

Building dependency tree

Reading state information... Done

The following additional packages will be installed:

apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 ssl-cert Suggested packages:

www-browser apache2-doc apache2-suexec-pristine | apache2-suexec-custom openssl-blacklist

The following NEW packages will be installed:

apache2 apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 ssl-cert

0 upgraded, 10 newly installed, 0 to remove and 104 not upgraded.

Need to get 1,554 kB of archives.

After this operation, 6,412 kB of additional disk space will be used.

Do you want to continue? [Y/n]

Oops ... I just ran Bumblebee's install script with root

https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123

Oops ... I just ran Steam's install script with root

https://github.com/valvesoftware/steam-for-linux/issues/3671

Quality Assurance

Packages are repeatedly tested before every release.

Exercise:

Briefly describe Fedora's testing plan before each release.

(Hint: google Fedora release validation)

Package Manager

Package Manager, heart of every Linux distribution

dpkg / apt pacman rpm / yum / dnf rpm / zypper

The goal of package manager

Enable the user to do the following things with ease:

● Search & install new software

● Upgrade software

● Safely remove software

● Verify the downloaded software content

The goal of package manager

Enable the user to do the following things with ease:

● Search & install new software

○ Search package list in local database

○ Check conflict

○ Traverse dependency tree (NP-complete !)

● Upgrade software

○ Remove old version then install new version

● Safely remove software

● Verify the downloaded software content

People

User Developer

Working on upstream project

Maintainer

* Every distribution has their own maintainers

* Create the distribution-specific experience

* Package stability, default options, usability

You

Enjoy & give feedback

Workflow

new release patch, review, build

Build servers

Package repository download packages

report bugs report bugs,

contribute code

feature request

Mirror

Exercise: What is the organization who hosts the primiary Debian mirror in Taiwan? (Hint: ftp.tw.debian.org)

● Fun mirror: mirror.facebook.net

● Fast mirror: ftp.twaren.net

Vim

Vim experience on Ubuntu

vim-basic vim-athena vim-athena-py2 vim-gnome

vim-gnome-py2 vim-gtk

vim-gtk-py2 vim-gtk3 vim-gtk3-py2 vim-nox

vim-nox-py2 vim-scripts vim-tiny

Vim experience on Fedora

vim-x11

vim-minimal vim-enhanced

● Different way of packaging

● Different default options

● Different plugin inclusion

● Different usability

https://src.fedoraproject.org/cgit/rpms/vim.git/

https://packages.debian.org/sid/vim

Package Life-cycle

Standard release v.s. Rolling release

● Standard release

○ Major package updates released in fixed cycle (six months for Fedora)

○ Packages well-tested when released

○ Only bugfix + small update between releases

○ Long Term Support (LTS)

○ Example: Ubuntu, Debian, Fedora

● Rolling release

○ No testing before shipping updates (Just Ship It!)

○ Good for the adventurer

○ Example: Arch Linux (CSIE workstation !!!!)

Debian

Unstable Testing Stable

uploaded 10 days

without bugs reported after ~ 2 years

https://debian-handbook.info/browse/stable/sect.release-lifecycle.html

Life and Death of Software Packages: An Evolutionary Study of Debian, CASCON '12 Proceedings of the 2012 Conference of the Center for Advanced Studies on Collaborative Research Advanced Studies on Collaborative Research

security updates

The Redhat family

* sponsored by Redhat

* Free

* 6 month release cycle

* Bleeding edge

* Long-term support

* Security fix

* Non-free

* Use RHEL codebase

* Free

* Not sponsored by Redhat

Redhat, a giant in open source

The Linux Kernel

Gnome Desktop Environment

Xorg server, Systemd, NetworkManager

libvirt

http://community.redhat.com/software/

Fedora

● Include only FREE open source software.

○ Software must not be proprietary or patented

○ Excluded: MP3, Flash Player, Nvidia driver (not excluded in Ubuntu)

● The driving force of software innovation

○ NetworkManager, SELinux, Wayland, Systemd, etc.

● Six-month release cycle: reasonably stable new software

Package Security

Distribution keys

[root@ubuntu]# apt-key list /etc/apt/trusted.gpg

---

pub 1024D/437D05B5 2004-09-12

uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>

sub 2048g/79164387 2004-09-12 pub 4096R/C0B21F32 2012-05-11

uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

...

[root@centos]# rpm -ql centos-release | grep KEY /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-7 /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-7

[root@centos]# cat /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 ---BEGIN PGP PUBLIC KEY BLOCK---

Version: GnuPG v1.4.5 (GNU/Linux) ...

Installing VirtualBox on CentOS

[root@centos]# cd /etc/yum.repos.d; wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo [root@centos]# yum --enablerepo=epel install dkms

Retrieving key from https://www.virtualbox.org/download/oracle_vbox.asc Importing GPG key 0x98AB5139:

Userid : "Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>"

Fingerprint: 7b0f ab3a 13b9 0743 5925 d9c9 5442 2a4b 98ab 5139 From : https://www.virtualbox.org/download/oracle_vbox.asc Is this ok [y/N]: y

....

[root@centos]# yum install VirtualBox-4.1

Typing y means you trust the repository!

Distribution keys

● A set of public keys imported when you enable a repository

● When installing new packages, binary content checked against the keys

● Only the person who signs the package has the private key

● Prevent Man-in-the-middle attack

○ Attacker takes control of a package mirror

○ Add malicious code into package

○ Add malicious dependencies into package metadata

○ Download package via HTTP instead of HTTPS

Distribution keys (2)

● CentOS, Ubuntu store just a few keys, either in plain text or keyring

● Arch Linux stores many keys owned by core maintainers

○ pacman-key -l

● Language package repository like PyPI, Rubygem allows arbitrary developers to upload packages. Hard to enforce package signing.

sudo pip install xxx

● Further security enhancement: Debian's Reproducible Builds

See: https://wiki.debian.org/ReproducibleBuilds/About

Recent example

HandBrake mirror hacked and Mac OS X users compromised:

https://www.cyberciti.biz/open-source/handbrake-for-mac-mirror-server-was-compromised-and-i nfected-with-proton-malware/

Exercise: read the article and describe how package manager can protect you from attack like this.