Re: Signing Packages.gz

[Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>]

On Sun, Apr 02, 2000 at 02:30:12PM -0600, Jason Gunthorpe wrote:
> On Sun, 2 Apr 2000, Marcus Brinkmann wrote:
> 
> > This is a seperate problem. I agree that this should not be the case, but it
> > has no place in this discussion. If individual developer keys are
> > compromised, we have a problem no matter what. Developers should not store
> > secret keys on net connected machines, point.
> > 
> > However, this only affects the developers packages, not the whole archive.
>                                                       ^^^^^^^^^^^^^^^^^^^^^
>  
> GAH!? Don't you see that isn't true?? Look, a hack attempt would go like
> this.
> 
>   1) Break root on master
>   2) Use that to break user account on developer victum (any will do)
>      (Hint: I have already shown that torsten at least could be 
>       attacked quite easially)
>   3) Steal PGP key
>   4) Use stolen PGP to form new glibc package with trojan, sneak into
>      archive using #1

And it wouldn't be strange that random Joe is uploading a pgp package?
And random joe or the real glibc maintainer will not speak up if this
really happens?

But you have a point, and I add this case: 
This only affects the developers packages and NMUs.
(one could vaguely interpret a NMU as the developers package, as it is
carrying his signature, but I admit that I didn't have NMUs in mind when
writing this.)

Thanks,
Marcus