Re: Signing Packages.gz
On Sun, Apr 02, 2000 at 02:30:12PM -0600, Jason Gunthorpe wrote:
> On Sun, 2 Apr 2000, Marcus Brinkmann wrote:
>
> > This is a seperate problem. I agree that this should not be the case, but it
> > has no place in this discussion. If individual developer keys are
> > compromised, we have a problem no matter what. Developers should not store
> > secret keys on net connected machines, point.
> >
> > However, this only affects the developers packages, not the whole archive.
> ^^^^^^^^^^^^^^^^^^^^^
>
> GAH!? Don't you see that isn't true?? Look, a hack attempt would go like
> this.
>
> 1) Break root on master
> 2) Use that to break user account on developer victum (any will do)
> (Hint: I have already shown that torsten at least could be
> attacked quite easially)
> 3) Steal PGP key
> 4) Use stolen PGP to form new glibc package with trojan, sneak into
> archive using #1
And it wouldn't be strange that random Joe is uploading a pgp package?
And random joe or the real glibc maintainer will not speak up if this
really happens?
But you have a point, and I add this case:
This only affects the developers packages and NMUs.
(one could vaguely interpret a NMU as the developers package, as it is
carrying his signature, but I admit that I didn't have NMUs in mind when
writing this.)
Thanks,
Marcus
Reply to: