Proposal: Discourage rpmbuild --sign
Willem Riede
wrrhdev at riede.org
Wed Dec 31 19:02:48 UTC 2003
On 2003.12.31 12:24, Rui Miguel Seabra wrote:
> On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
>
> > People don't build src.rpms for fun. They build them to install the built
> > packages as root (!) and then to use them from within their normal user
> > account.
>
> He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'
>
> The problem is well explained, and only who doesn't believe a trojan
> could be inject in apparently good source code (ie, downloaded from
> sf.net, for instance -- ever heard of dns spoofs?) doesn't understand.
>
> When I build RPMS for AbiWord, I build the RPMS with a specific user for
> rpmbuilding, and sign the rpms afterward with my key, on my account.
While that is a good practice, is it sufficient? How do you know that the
package you just attached your reputation to (by signing with your key)
isn't going to trash or take over the system of any user that installs it?
Just because it didn't do that when you installed the package you just
built may only mean that the trojan's programmer coded a test to not trash
the host on which it is built so it has a better chance to propagate.
And how does knowing that the package is safe to install by your users
differ from the knowledge needed to be confident that building the package
in the first place (irrespective whether that's as root or the key owner)
will not end in disaster?
Thanks, willem Riede.
More information about the devel
mailing list