Re: Sébastien Luttringer and Tobias Powalowski

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life.
> Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he
> wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
> 
> You also didn't really reply about the threat model.

If I understand correctly what Nicohood meant,
what could happen is that version X of systemd (or anything else) has a
well known vulnerability, fixed in X+1. X+1 is packaged, so anyone
up to date thinks "good I'm safe now". But since a man in the middle can
force to download version X (signed by the systemd maintainer so
considered "secure"), he can force you to download that version when you
create the package and you'll think you have the safe version while
having the unsafe one.

If that happens to the packager in archlinux, then you poisoned all
archlinux users.

(but then, the md5sum will be wrong anyway?)
-- 
Ismael

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux