On Mon, Jul 03, 2017 at 01:01:35AM +0200, Ismael Bouya wrote: > (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud : > > But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, > > anyone can MITM for the good of their life. > > Unless they can fake the signature (Hint; they cant), or trick Lennart into > > signing something he shouldnt (Hint; he > > wont), we don't have a case here. It doesn't really matter if its HTTP or > > HTTPS. > > > > You also didn't really reply about the threat model. > > If I understand correctly what Nicohood meant, > what could happen is that version X of systemd (or anything else) has a > well known vulnerability, fixed in X+1. X+1 is packaged, so anyone > up to date thinks "good I'm safe now". But since a man in the middle can > force to download version X (signed by the systemd maintainer so > considered "secure"), he can force you to download that version when you > create the package and you'll think you have the safe version while > having the unsafe one. > > If that happens to the packager in archlinux, then you poisoned all > archlinux users. > > (but then, the md5sum will be wrong anyway?) > -- > Ismael
At this point we can't trust the trusted users to build and verify the correct packages, let alone maintaine a safe infrastructure to build packages. This is a slippery slope, and i really fucking hope this isn't a serious issue any devs or TUs are afraid of. -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
