[Dev] Bug #567 has significant security impact on binaries

Michał Masłowski mtjm at mtjm.eu
Sat Jun 27 15:54:00 GMT 2015

> The package will be compiled, and immediately signed with the packager's
> key during compile process.

This isn't nice for batch builds: user leaves the computer building for
hours, then runs librerelease, inputs the GPG passphrase for pinentry,
gpg-agent will cache it for a short time.

> 1) Someone or something could modify the package while it's sitting
> around waiting to be uploaded on the packager's computer.

If the developer changes file permissions so others can write to their
files, and has malicious local users or sufficient remotely-exploitable
vulnerabilities, there are much bigger problems.

> 2) If librerelease is signing binaries only, what is to prevent someone
> from taking a random modified binary and pushing it to the main repo
> with their key?

This can be solved only by not having the developers build and upload
anything to the repo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/15ad26ac/attachment.sig>

More information about the Dev mailing list