Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/20/2015 07:22 PM, Dolan Murvihill wrote: > CAs can, and have, deliberately issued fraudulent certificates. > TrustWave is the only one that has been discovered doing this --- > and that, only because they came forward on their own years after > the fact. The security community generally agree

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On Fri, Feb 20, 2015 at 06:54:10PM +0100, Florian Pelz wrote: > On 02/20/2015 04:51 PM, Daniel Micay wrote: > > PKGBUILD checksums provide *zero*, yes *zero* security for the case > > that matters most, which is the build done by the packager. It does > > provide the ability for other people to ver

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 12:54 PM, Florian Pelz wrote: > On 02/20/2015 04:51 PM, Daniel Micay wrote: >> PKGBUILD checksums provide *zero*, yes *zero* security for the case >> that matters most, which is the build done by the packager. It does >> provide the ability for other people to verify that a MITM attack

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/20/2015 04:51 PM, Daniel Micay wrote: > PKGBUILD checksums provide *zero*, yes *zero* security for the case > that matters most, which is the build done by the packager. It does > provide the ability for other people to verify that a MITM attack > was not used to target a specific packager...

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 10:26 AM, Mark Lee wrote: > > However, the issue still stands regarding checksums. Perhaps packages > with metadata changes should just not include checksums? Or, they could > just link to the sources.archlinux.org in those cases with checksums. Ideally, devtools would generate a sourc

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 10:22 AM, Florian Pelz wrote: > On 02/20/2015 03:59 PM, Daniel Micay wrote: >> The vast majority of users make use of the binary packages and the >> checksums do absolutely nothing to secure the main attack vector >> which is a compromise of the sources downloaded by the packager. It >

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/20/2015 10:22 AM, Florian Pelz wrote: > On 02/20/2015 03:59 PM, Daniel Micay wrote: >> The vast majority of users make use of the binary packages and the >> checksums do absolutely nothing to secure the main attack vector >> which is a compromise of the sources downloaded by the packager. It

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/20/2015 03:59 PM, Daniel Micay wrote: > The vast majority of users make use of the binary packages and the > checksums do absolutely nothing to secure the main attack vector > which is a compromise of the sources downloaded by the packager. It > is only relevant to the tiny minority of peopl

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 09:53 AM, Mark Lee wrote: > On 02/20/2015 09:22 AM, Daniel Micay wrote: >> On 20/02/15 09:03 AM, Mark Lee wrote: >>> >>> The checksums are there for integrity. The GPG signatures only >>> confirm the packager built the package. My question is if a >>> packager's PKGBUILD fails a checksu

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On Fri, Feb 20, 2015 at 4:09 PM, Daniel Micay wrote: > On 20/02/15 10:04 AM, Martti Kühne wrote: > > You should really just tell upstream to sign their releases, because it > wipes out the attack vector instead of just making it possible to audit > whether a MITM attack on the original. packager o

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 10:04 AM, Martti Kühne wrote: > On Fri, Feb 20, 2015 at 3:53 PM, Mark Lee wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Checksums aren't sources, they are a method of verifying the integrity >> of sources. In other words, while different files can have the same >>

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On Fri, Feb 20, 2015 at 3:53 PM, Mark Lee wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Checksums aren't sources, they are a method of verifying the integrity > of sources. In other words, while different files can have the same > md5sum (hash collision), a failed checksum indicat

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 09:41 AM, Florian Pelz wrote: > Hi, > > On 02/20/2015 03:22 PM, Daniel Micay wrote: >> On 20/02/15 09:03 AM, Mark Lee wrote: >>> I understand that the metadata changed which changed the checksum, but >>> that doesn't really change the question of what to do with source code >>> version

Re: [arch-general] Severity of Failed checksum for PKGBUILD

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/20/2015 09:22 AM, Daniel Micay wrote: > On 20/02/15 09:03 AM, Mark Lee wrote: >> >> The checksums are there for integrity. The GPG signatures only >> confirm the packager built the package. My question is if a >> packager's PKGBUILD fails a ch

Re: [arch-general] Severity of Failed checksum for PKGBUILD

Hi, On 02/20/2015 03:22 PM, Daniel Micay wrote: > On 20/02/15 09:03 AM, Mark Lee wrote: >> I understand that the metadata changed which changed the checksum, but >> that doesn't really change the question of what to do with source code >> versioning systems that have changing checksums and the nee

Re: [arch-general] Severity of Failed checksum for PKGBUILD

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > I understand that the metadata changed which changed the checksum, > but that doesn't really change the question of what to do with > source code versioning systems that have changing checksums and the > need to supply source code for GPL projects

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 09:03 AM, Mark Lee wrote: > >> No... the integrity check not matching is not because an >> out-of-tree source tree was used. The checksums are certainly not >> there to improve security, that's what GPG signatures are for. > > > The checksums are there for integrity. The GPG signatur

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 20/02/15 09:03 AM, Mark Lee wrote: > > The checksums are there for integrity. The GPG signatures only confirm > the packager built the package. My question is if a packager's > PKGBUILD fails a checksum and the license is GPL, how does the > packager fullfill their requirement to provide the sou

Re: [arch-general] Severity of Failed checksum for PKGBUILD

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/20/2015 03:27 AM, Daniel Micay wrote: > On 19/02/15 11:39 PM, Mark Lee wrote: >> On 02/19/2015 05:46 PM, Mark Lee wrote: >>> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: On 19 February 2015 at 21:42, Doug Newgard wrote: > You c

Re: [arch-general] Severity of Failed checksum for PKGBUILD

Hi On Thu, Feb 19, 2015 at 2:24 PM, Lukas Jirkovsky wrote: > On 19 February 2015 at 21:42, Doug Newgard wrote: >> You can't. If upstream provides a checksum, that gives you some verification, >> but since github doesn't, there's no way to verify any of it. > > I don't know about github, but with

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 19/02/15 11:39 PM, Mark Lee wrote: > On 02/19/2015 05:46 PM, Mark Lee wrote: >> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: >>> On 19 February 2015 at 21:42, Doug Newgard wrote: You can't. If upstream provides a checksum, that gives you some verification, but since github doe

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/19/2015 05:46 PM, Mark Lee wrote: > On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: >> On 19 February 2015 at 21:42, Doug Newgard wrote: >>> You can't. If upstream provides a checksum, that gives you some >>> verification, >>> but since github doesn't, there's no way to verify any of it. >>

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: > On 19 February 2015 at 21:42, Doug Newgard wrote: >> You can't. If upstream provides a checksum, that gives you some verification, >> but since github doesn't, there's no way to verify any of it. > > I don't know about github, but with bitbucket th

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 19 February 2015 at 21:42, Doug Newgard wrote: > You can't. If upstream provides a checksum, that gives you some verification, > but since github doesn't, there's no way to verify any of it. I don't know about github, but with bitbucket the checksums of these generated tarballs may change occa

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On Thu, 19 Feb 2015 15:34:31 -0500 Mark Lee wrote: > On 02/19/2015 03:28 PM, Doug Newgard wrote: > > On Thu, 19 Feb 2015 15:15:42 -0500 > > Mark Lee wrote: > > > >> Salutations, > >> > >> After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's > >> checksum was incorrect, I filed

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On 02/19/2015 03:28 PM, Doug Newgard wrote: > On Thu, 19 Feb 2015 15:15:42 -0500 > Mark Lee wrote: > >> Salutations, >> >> After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's >> checksum was incorrect, I filed a bug report. See >>

Re: [arch-general] Severity of Failed checksum for PKGBUILD

On Thu, 19 Feb 2015 15:15:42 -0500 Mark Lee wrote: > Salutations, > > After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's > checksum was incorrect, I filed a bug report. See > . > > I filed it under "cri

[arch-general] Severity of Failed checksum for PKGBUILD

Salutations, After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's checksum was incorrect, I filed a bug report. See . I filed it under "critical" since an incorrect checksum means that the package was built