On Mon, Oct 31, 2016 at 07:18:01PM -0400, Eli Schwartz via arch-general wrote:
> On 10/31/2016 05:50 PM, Leonid Isaev wrote:
> > As a side question... is there a significant difference in signing PKGBUILD vs
> > the compiled package.
>
> Do you realize, when you ask if there is a difference between signing a
> PKGBUILD vs. a built package, it sounds an awful lot like asking if
> there is a difference between a PKGBUILD and a built package?
It does not, really...
> > Given that when building a pkg, I inspect the PKGBUILD,
> > what attack is possible when the PKGBUILD is not signed?
>
> Off the top of my head, there is *the topic of this thread*. Someone
> could modify the checksums and deliver fake sources. When the PKGBUILD
> just says "run `make`", how do you tell the difference?
Well, my mentality is that authenticating plain-text data is usually not
necessary because a user can always inspect it (notice, I don't care if a
PKGBUILD comes from an authentic source, I only care if its not doing smth
malicious). This is why I inspect the PKGBUILD and corresponding install files
/ patches. At least, I thought this is why PKGBUILDs are not signed in the same
manner that Gentoo signs ebuilds...
Regarding checksums, how did a dev know that upstream sources are authentic? I
use a similar judgement (as a practical example, in my packages I always
maintain multiple checksums: one from Arch, another from Gentoo, third from
Debian/Fedora, and have a keyring with all upstream keys I can get).
But anyway, my question has already been answered...
Thanks,
L.
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
