vsftpd in the news

Michael Schwendt mschwendt at gmail.com
Wed Jul 6 07:07:48 UTC 2011


On Tue, 05 Jul 2011 17:05:45 -0500, MC (Michael) wrote:

> > Some packagers do upload the detached sig and add it to the spec
> > as another Source file URL.
> 
> Great! Except I haven't done so. I wasn't required to submit a signature 
> for my package nor does the Package Guildline pages refer to doing so. 
> Might be worth someone's time to mention it on the wiki (who knows about 
> this functionality).

It isn't any "functionality".

It is just possible to place a tarball and its detached GPG sig file in
the source RPM package for anyone who may want to verify the sig manually
at some point in time.

Verifying detached tarball sigs isn't trivial or 100% safe anyway. One
needs to be very familiar with the signer's key(s). Else the risk is too
high that a user simply fetches a needed key from a key server without
applying extra care.

And for a sufficiently large tarball of a project with N>1 devs, has the
signer been able to actually verify all source code changes prior to
signing the tarball? Or is the signature only used to flag a package as
coming from a trusted project developer without any additional guarantees?
A tarball sig is just one layer of safety, but no ultimate protection.

> > The uploaded tarball checksum enters the "sources" file in git, and any
> > tarball downloaded from the lookaside cache MUST match that checksum.
> > Else it wouldn't be downloaded and used. Source RPM build in koji would
> > fail.
> 
> This is just a checksum against the tarball that enters the lookaside 
> cache. Yes, I know about this. A malicious package could have been 
> uploaded to the lookaside cache, however. This leads to demanding 
> everyone have signatures available, but what do you do about SVN/Git 
> checkouts or projects that don't wish to provide signatures?
 
Obviously, one needs to be very careful, skim over diffs, monitor commits
regularly, archive snapshots regularly, be familiar with upstream release
habits. Upstream also needs to do that, to avoid that a compromised account
from a committer is used to infiltrate the project. If a source code repository
is modified without permission and no developer (or release manager) notices it,
would the person adding the tarball sig notice it?


More information about the devel mailing list