Proposal: Discourage rpmbuild --sign

Michael Schwendt ms-nospam-0306 at arcor.de
Thu Jan 1 07:43:47 UTC 2004 

On Wed, 31 Dec 2003 17:24:23 +0000, Rui Miguel Seabra wrote:

> On Wed, 2003-12-31 at 15:43, Michael Schwendt wrote:
> > On Wed, 31 Dec 2003 02:42:28 -1000, Warren Togami wrote:
> > > Proposal
> > > ========
> > > rpm-4.2.2 in rawhide and all future versions should discourage the use 
> > > of rpmbuild --sign.  Perhaps this can be done effectively by adding a 
> > > large and annoying warning message and 15 second delay.  Or disable it 
> > > completely.  I don't care how, just discouragement should be done.
> > 
> > This is an over-ambitious proposal. How do you want to prevent users from
> > test-driving a built binary rpm with their normal user account where the
> > malicious software has access to many other security relevant data?
> 
> > People don't build src.rpms for fun. They build them to install the built
> > packages as root (!) and then to use them from within their normal user
> > account.
> 
> He's talking about 'rpmbuild --sign zbr' and not 'rpmbuild zbr'

I'm perfectly aware of that. But it doesn't make a difference.
 
> The problem is well explained, and only who doesn't believe a trojan
> could be inject in apparently good source code (ie, downloaded from
> sf.net, for instance -- ever heard of dns spoofs?) doesn't understand.
> 
> When I build RPMS for AbiWord, I build the RPMS with a specific user for
> rpmbuilding, and sign the rpms afterward with my key, on my account.

The problem continues when you install the built package as "root" and
when you use your normal user account to execute the software.

Separating an rpmbuild account from one that has access to your secret key
ring is good, but not bullet-proof.

Also think about developers who build rpms of their own software.  They
wouldn't like an "annoying warning message and a 15 second delay".

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20040101/7717e60a/attachment-0002.bin

More information about the devel mailing list