[Dev] Bug #567 has significant security impact on binaries

fauno fauno at endefensadelsl.org
Sat Jun 27 16:11:47 GMT 2015

Michał Masłowski <mtjm at mtjm.eu> writes:

>> The package will be compiled, and immediately signed with the packager's
>> key during compile process.
> This isn't nice for batch builds: user leaves the computer building for
> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
> gpg-agent will cache it for a short time.

right, this was the initial decision for putting signing on
librerelease.  security-wise having to put the signature for
each batch/unnatended build is bothersome but necessary.

>> 1) Someone or something could modify the package while it's sitting
>> around waiting to be uploaded on the packager's computer.
> If the developer changes file permissions so others can write to their
> files, and has malicious local users or sufficient remotely-exploitable
> vulnerabilities, there are much bigger problems.


>> 2) If librerelease is signing binaries only, what is to prevent someone
>> from taking a random modified binary and pushing it to the main repo
>> with their key?
> This can be solved only by not having the developers build and upload
> anything to the repo.


what happened with reproducible builds?

btw i've been signing my commits to abslibre.git, i don't know how this
can be useful to verify that the pkgbuild corresponds to the binary

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/1c89263e/attachment.sig>

More information about the Dev mailing list