[Dev] Bug #567 has significant security impact on binaries

Luke g4jc at openmailbox.org
Sat Jun 27 16:18:37 GMT 2015

On 06/27/2015 12:11 PM, fauno wrote:
> Michał Masłowski <mtjm at mtjm.eu> writes:
>>> The package will be compiled, and immediately signed with the packager's
>>> key during compile process.
>> This isn't nice for batch builds: user leaves the computer building for
>> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
>> gpg-agent will cache it for a short time.
> right, this was the initial decision for putting signing on
> librerelease.  security-wise having to put the signature for
> each batch/unnatended build is bothersome but necessary.
If this is actually an issue, it is described in the manpage for gpg-agent.

nano ~/.gnupg/gpg-agent-conf
set default-cache-ttl and max-cache-ttl as needed.
I would suppose a simple bash script could also be made that looks for
the makepkg process. If it still exists, increase time-to-live in
gpg-agent by x-seconds.
This is still better than signing long after the package has been built.

>>> 1) Someone or something could modify the package while it's sitting
>>> around waiting to be uploaded on the packager's computer.
>> If the developer changes file permissions so others can write to their
>> files, and has malicious local users or sufficient remotely-exploitable
>> vulnerabilities, there are much bigger problems.
> +1
>>> 2) If librerelease is signing binaries only, what is to prevent someone
>>> from taking a random modified binary and pushing it to the main repo
>>> with their key?
>> This can be solved only by not having the developers build and upload
>> anything to the repo.
> xD
> what happened with reproducible builds?
> btw i've been signing my commits to abslibre.git, i don't know how this
> can be useful to verify that the pkgbuild corresponds to the binary
> package.

Reproducible builds is another great idea, and Debian has been making
good progress with it.
Signing commits is also not a bad idea, since at least we know that you
took the time to sign your commits. Meaning no one should be
impersonating fauno or doing MITM against your git push procedures. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/22ce8958/attachment.sig>

More information about the Dev mailing list