06.07.2011, 16:07, "Michael Schwendt" <mschwendt@xxxxxxxxx>: > And for a sufficiently large tarball of a project with N>1 devs, has the > signer been able to actually verify all source code changes prior to > signing the tarball? Or is the signature only used to flag a package as > coming from a trusted project developer without any additional guarantees? > A tarball sig is just one layer of safety, but no ultimate protection. >>> The uploaded tarball checksum enters the "sources" file in git, and any >>> tarball downloaded from the lookaside cache MUST match that checksum. >>> Else it wouldn't be downloaded and used. Source RPM build in koji would >>> fail. >> This is just a checksum against the tarball that enters the lookaside >> cache. Yes, I know about this. A malicious package could have been >> uploaded to the lookaside cache, however. This leads to demanding >> everyone have signatures available, but what do you do about SVN/Git >> checkouts or projects that don't wish to provide signatures? > > Obviously, one needs to be very careful, skim over diffs, monitor commits > regularly, archive snapshots regularly, be familiar with upstream release > habits. Upstream also needs to do that, to avoid that a compromised account > from a committer is used to infiltrate the project. If a source code repository > is modified without permission and no developer (or release manager) notices it, > would the person adding the tarball sig notice it? The developer of vsftpd didn't notice the change, but still there was early prevention possible. The issue is *one* of the ways source code can be exploited, and checking the gpg signatures for the projects that allow it is a measure against the particular kind of attack. Literally, it would close one vulnerability in the distro. Which is enough. -- Best regards, Misha Shnurapet, Fedora Project Contributor Email: shnurapet AT fedoraproject.org, IRC: misha on freenode https://fedoraproject.org/wiki/shnurapet, GPG: 00217306 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
