vsftpd in the news
Misha Shnurapet
shnurapet at fedoraproject.org
Wed Jul 6 08:04:24 UTC 2011
06.07.2011, 16:07, "Michael Schwendt" <mschwendt at gmail.com>:
> And for a sufficiently large tarball of a project with N>1 devs, has the
> signer been able to actually verify all source code changes prior to
> signing the tarball? Or is the signature only used to flag a package as
> coming from a trusted project developer without any additional guarantees?
> A tarball sig is just one layer of safety, but no ultimate protection.
>>> The uploaded tarball checksum enters the "sources" file in git, and any
>>> tarball downloaded from the lookaside cache MUST match that checksum.
>>> Else it wouldn't be downloaded and used. Source RPM build in koji would
>>> fail.
>> This is just a checksum against the tarball that enters the lookaside
>> cache. Yes, I know about this. A malicious package could have been
>> uploaded to the lookaside cache, however. This leads to demanding
>> everyone have signatures available, but what do you do about SVN/Git
>> checkouts or projects that don't wish to provide signatures?
>
> Obviously, one needs to be very careful, skim over diffs, monitor commits
> regularly, archive snapshots regularly, be familiar with upstream release
> habits. Upstream also needs to do that, to avoid that a compromised account
> from a committer is used to infiltrate the project. If a source code repository
> is modified without permission and no developer (or release manager) notices it,
> would the person adding the tarball sig notice it?
The developer of vsftpd didn't notice the change, but still there was early prevention possible.
The issue is *one* of the ways source code can be exploited, and checking the gpg signatures for the projects that allow it is a measure against the particular kind of attack. Literally, it would close one vulnerability in the distro. Which is enough.
--
Best regards,
Misha Shnurapet, Fedora Project Contributor
Email: shnurapet AT fedoraproject.org, IRC: misha on freenode
https://fedoraproject.org/wiki/shnurapet, GPG: 00217306
More information about the devel
mailing list