fedora-startqa

Toshio toshio at tiki-lounge.com
Fri Apr 2 15:46:24 UTC 2004 

On Fri, 2004-04-02 at 01:43, Aurelien Bompard wrote:
> > - (Showing my ignorance of mach) How safe is it to build untrusted
> > sources within mach?  since mach builds the package before the user gets
> > a chance to go look at whether the Source URL is canonical, I was
> > wondering....
> 
> Well, you can read the spec file before building in mach, so you can look at
> the URLs for the sources, start you browser and have a look. Is that what
> you mean ?
Two problems:
1) In batch mode, the human element is missing.  If it is insecure,
there needs to be a way to disable mach building from the commandline.

2) If the script is aimed at newbies, there should be a warning of the
potential dangers of building the source package and what can be done to
reduce that risk.  In qa-assistant's checklist, I tried to create a list
of High Security items that should be evaluate before the reviewer
started doing anything else.  Maybe a list like that (minus things that
are checked automatically) spit out to the screen before viewing the
spec file?

> > - The first time I ran it, the script errored out because there was an
> > old version of an md5sum file on the server that didn't have the package
> > version I had up there.
> 
> Can you give me a bug id ?
> 
I corrected the out of date md5sum file (It was with a package that I
had control over.)  I'll try re-provoking the bug (or tracing it in the
code) when I have a bit of time.

> > However, GPG signed SRPMs are equivalent to 
> > checking a GPG signed md5sum file that has an  md5sum for the SRPM.  So
> > my view is if the GPG signature on the SRPM is good and the MD5SUM file
> > doesn't contradict it (ie: different signing keys, different MD5Sums for
> > the same file) it shouldn't error out.
> 
> Yes, there is this -c option to disable srpm md5sum checking.
> 
I'll give this a try too.  I think, though, what I want is for the
script to automatically make a decision that an SRPM with a valid GPG
does not have to have it's md5sum checked.

Slightly more paranoid is to make the following checks:
1] GPG signature of SRPM
2] Is the md5sum of the relevant SRPM in the md5sum file?
3] GPG signature of md5sum file
4] Did the same key sign both files?

If all pass, then pass the test.
If 1] Pass and 2] Is fail, pass the test.
All other cases fail.
-- 
_______S________U________B________L________I________M________E_______
  t  o  s  h  i  o  +  t  i  k  i  -  l  o  u  n  g  e  .  c  o  m
                                                          GA->ME 1999
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20040402/4c599123/attachment-0002.bin

More information about the devel mailing list