Re: Sébastien Luttringer and Tobias Powalowski

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 07/02/2017 11:38 PM, Eli Schwartz wrote:
> Let's make this clear: None of these claims are true! At all! Not even
> one of them!

You just say its not true, but that is wrong. I've wrote a statement for
every link he pointed out in which way it is valid or not.

> You have grabbed the troll bait! Please don't do that. Also, you're wrong.

You are also a troll, as you just block with "STOP TROLLING". That is
even more annoying to me.

> Posting about these packages and attempting to shame their maintainers
> on the mailing list is unacceptable, in the way posting to the mailing
> list about the chemical composition of peanut butter is unacceptable.

Yes, we should not shame specific people, I've learned this myself. He
picked a few packages from few maintainers. We DO have SERIOUS security
issues in PGBUILDs that we CAN fix, but just dont, because of no obvious
reason.

> systemd is validated with GPG, it doesn't matter whether the download
> transport is checked against the cacert system. GPG already ensures that
> this package cannot sneakily use a source that isn't signed with the
> validpgpkeys.

Yes the GPG signature of the tag commit is checked. However you can
attack the git metadata and set a tag to a different commit. If this
commit is signed, but at an older stage which is vulnearable, we have an
issue. Just one example. So we should always also secure the transport
layer.
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias

You are just complaining the loudest. Doesnt mean you are right, nor
better. If we just fix our PKGBUILDs, noone can troll.

How do you think can we improve the PKGBUILD security if we reject
suggestions like this? What would be your plan? Waiting for an attacker
to proof that we should have fixed our PKGBUILDs earlier?

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux