[Dev] Bug #567 has significant security impact on binaries

[fauno]

Michał Masłowski <mtjm at mtjm.eu> writes:

>> The package will be compiled, and immediately signed with the packager's
>> key during compile process.
>
> This isn't nice for batch builds: user leaves the computer building for
> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
> gpg-agent will cache it for a short time.

right, this was the initial decision for putting signing on
librerelease.  security-wise having to put the signature for
each batch/unnatended build is bothersome but necessary.

>> 1) Someone or something could modify the package while it's sitting
>> around waiting to be uploaded on the packager's computer.
>
> If the developer changes file permissions so others can write to their
> files, and has malicious local users or sufficient remotely-exploitable
> vulnerabilities, there are much bigger problems.

+1

>> 2) If librerelease is signing binaries only, what is to prevent someone
>> from taking a random modified binary and pushing it to the main repo
>> with their key?
>
> This can be solved only by not having the developers build and upload
> anything to the repo.

xD

what happened with reproducible builds?


btw i've been signing my commits to abslibre.git, i don't know how this
can be useful to verify that the pkgbuild corresponds to the binary
package.

-- 
http://vqfe4xmhxzi7w2uv.onion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/1c89263e/attachment.sig>