Stakepool Operation Tools as a potential risk?

I hoped to get your opinion or a recommendation, so i just drafted potential conclusions here. I will not be able to validate and quantify the risk of a manipulated script. So I’m rather thinking about reducing the risk as far as I’m able to from a pure operator perspective.

  1. You’re placing all your hopes for survival of decentralized ecosystem on to centralised IOG github accounts, and flagging not-so-rocket-science bash scripts as github-accounts-could-be-sacrificed. You cant debate if that’s your basis of thought process since your outcome is pre-decided. I cannot and do no want to make you believe something else. A sacrificed script could update your hosts entries, but a binary compiled with similar web source wouldnt.
  2. You’re adding option docker to the mix which is even less secure as chroot kernel is shared with host (even if using IOG version), and by your assumptions, point b and c of conclusion are almost similar.
  3. Your thread started by talking about block validations , then focused on scripts - then assume 50% nodes are sacrificed - and not one member reads the code + this 50% excludes IOG and exchanges, github accounts of selective members are hacked…OR those with 4 years of reputation suddenly go rogue (but at same time, not apply to the trusted bias).

So no - I am not really gonna be able to really provide any further answers as bias is prebuilt and I feel like having been stuck by lightening 5 times a day, yes - that’s possible :wink:

A post was split to a new topic: Improvement suggestions for guild operators scripts

I’m sorry if this all seems to be just random switches between different topics.
For me it is a sequence of things that would allow a successful 51% attack.

Central managed Script > used in a majurity of nodes (not by number but by stake) > manipulates the source of a node or alter the source for installing the next update to, e.g. compromising the block validation logic

The chance for this to happen is propably extremely low if all code which goes into the tools comes from or is reviewed by trusted members. And the effort of one to run such an attack would be very high and any attempt would propably be detected.

Still what @tomdx recommends sounds very valid to me.
Besides of that I think monitoring unwanted configuration (System and Cardano Config) changes sounds important to me just as a precaution.