[Mageia-dev] Problem with missing signatures

Pascal Terjan pterjan at gmail.com
Sat Dec 29 20:49:47 CET 2012

On Sat, Dec 29, 2012 at 7:44 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
> On 29.12.2012 20:11, Pascal Terjan wrote:
>> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
>>> Hello!
>>> Could we add a trigger to prevent unsigned packages from being uploaded?
>>> I've faced again bunch of unsigned packages.. and when I was trying to
>>> rebuild plexus-i18n against missing signature, with bumping the release -
>>> the build system said it's already built with that version [1].
>>> How is it possible? I have checked the history of this package.. and it
>>> was
>>> never released as the version in the build system.
>>> Am I missing something? Was there an attack and a package injection?
>>> Kamil
>>> [1]
>>> http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
>> It seems someone manually uploaded the package on December 1st, after
>> building it on a machine named karamel, this seems to be dmorgan's
>> machine
> Thank you Pascal for your reply, so it was injected (in other words
> "manually uploaded").
> I may understand that in some circumstances there is a need to do manual
> operations over our buildservers, but please for the sake of security and
> credibility of Mageia prohibit uploading locally built packages into the
> outside world, servers! Without it a user or developer cannot see if a local
> mirror (or someone in-the-middle) is injecting Trojan packages or not.

This is not supposed to happen but can be done temporarily by
sysadmins (usually for some kind of bootstraping when you need the
package to be on the mirrors to be able to upload it or another one it
requires). It seems it was the case but dmorgan forgot to upload the
correct package afterwards.

We should definitely improve things so that this is logged and
packages get signed when uploaded manually by admins.

More information about the Mageia-dev mailing list