[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian upload monitor

On Thu, May 01, 2008 at 05:58:40PM +0100, Enrico Zini wrote:
> On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote:
> > Doesn't dak already send you an email when it processes an upload with your 
> > key? What exactly does this add on top of that functionality?
> The problem is that it seems to be possible to craft an upload that will
> send an email elsewhere so you won't notice it.
How so?  I'm sure the dak maintainers would like to know of this.  My
understanding is that dak does it like this:

 - extract ID of key used to sign upload
 - lookup ID in Debian keyring
 - determine Debian account associated with key ID
 - send email to that Debian email (unless the uploader's email, as
   noted in the changelog entry, is one of the ones explicitly listed in
   the key)

I am curious how you could craft an upload that would use a key
(ostensibly not your own, since you would know what you are uploading
anyway) where you could use some random DD's key to do the upload
without an email going to that DD.  It seems like you would need to
forge the GPG signature.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: