(Sun, Jul 02, 2017 at 07:22:23PM -0400) Eli Schwartz via arch-general :
> Okay, this I am genuinely curious about.
>
> In what circumstances can I have:
> - the systemd repository cloned over the git:// protocol
> - an annotated tag for systemd v233 signed by Lennart Poettering.
> - an annotated tag for systemd v232 signed by Lennart Poettering.
> - a man in the middle attack
> - `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG
> ${fingerprint} that matches with Lennart's known GPG fingerprint as
> recorded in validpgpkeys
>
> And as a result, when I run the git command `git checkout
> refs/tags/v233`, I am tricked into getting v232 instead which contains a
> vulnerability.
Until there, it's exactly the topic of the presentation linked by
Nicohood
> Also, I wouldn't be alerted by the verbose printing of
> the systemd version which happens during the boot process, nor by
> $systemd_binary --version
Then you rely only on that last two things
--
Ismael
Attachment:
signature.asc
Description: PGP signature
