On Sun, Jan 20, 2013 at 02:04:19AM +0100, Jonas Häggqvist wrote:
> Or alternatively, if maybe the main build system should be used to
> provide these downloads?
For the windows sims, we could just set that up. All we need is a set of
build clients that have the mingw toolchain installed, an updated client
script that knows about this toolchain, and moving the resulting files
to an appropriate place. I'd say this can be done in less than a week if
we want it (but see also the general security note at the end of the
For the android builds, the old problem of signing still exists. There
are several ways to handle that, each with its own pros and cons:
* build them all on the server, and let that handle the signing
We need some extra server-side scripts for this, and there will be
extra server load. I don't know if that's acceptable.
* distributed builds, central signing
This would need some new server-side scripts to handle the signing,
and some makefile modifications so we can easily buiuld unsigned apps.
* distributed builds, shared signing key
This should work, and it requires nearly no new infrastructure, but
it's a *very* bad idea from a security point of view.
* distributed builds, no shared key
This doesn't really work. People would have to uninstall the app and
reinstall it for every update due to differing signing keys.
Note that all but the first option would (at least in theory) allow a
malicious third party to set up a fake build server and upload a
different binary, which would be a nice way to distribute malware. This
is also possible for all other builds of course, but for anything that's
not running on a general purpose device (such as a windows box or an
android phone), there's not much to gain for an attacker. It's probably
a good idea to only allow things like windows sims or android app builds
from known people (which would require some work. The build system
currently doesn't support that)
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
Received on 2013-01-20