[Mageia-dev] Problem with missing signatures
Kamil Rytarowski
n54 at gmx.com
Sat Dec 29 20:44:04 CET 2012
On 29.12.2012 20:11, Pascal Terjan wrote:
> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
>> Hello!
>>
>> Could we add a trigger to prevent unsigned packages from being uploaded?
>>
>> I've faced again bunch of unsigned packages.. and when I was trying to
>> rebuild plexus-i18n against missing signature, with bumping the release -
>> the build system said it's already built with that version [1].
>>
>> How is it possible? I have checked the history of this package.. and it was
>> never released as the version in the build system.
>>
>> Am I missing something? Was there an attack and a package injection?
>>
>> Kamil
>>
>> [1]
>> http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
> It seems someone manually uploaded the package on December 1st, after
> building it on a machine named karamel, this seems to be dmorgan's
> machine
Thank you Pascal for your reply, so it was injected (in other words
"manually uploaded").
I may understand that in some circumstances there is a need to do manual
operations over our buildservers, but please for the sake of security
and credibility of Mageia prohibit uploading locally built packages into
the outside world, servers! Without it a user or developer cannot see if
a local mirror (or someone in-the-middle) is injecting Trojan packages
or not.
More information about the Mageia-dev
mailing list