diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2012-December/021034.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2012-December/021034.html | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-December/021034.html b/zarb-ml/mageia-dev/2012-December/021034.html new file mode 100644 index 000000000..e3ffc41f8 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-December/021034.html @@ -0,0 +1,108 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Problem with missing signatures + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Problem%20with%20missing%20signatures&In-Reply-To=%3CCA%2BCX%2Bbj%2Bvb4d2BbRj-JYqg0yhzKLs0d3h%2B2Q2cTW-2coLwzNAw%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="021032.html"> + <LINK REL="Next" HREF="021035.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Problem with missing signatures</H1> + <B>Pascal Terjan</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Problem%20with%20missing%20signatures&In-Reply-To=%3CCA%2BCX%2Bbj%2Bvb4d2BbRj-JYqg0yhzKLs0d3h%2B2Q2cTW-2coLwzNAw%40mail.gmail.com%3E" + TITLE="[Mageia-dev] Problem with missing signatures">pterjan at gmail.com + </A><BR> + <I>Sat Dec 29 20:49:47 CET 2012</I> + <P><UL> + <LI>Previous message: <A HREF="021032.html">[Mageia-dev] Problem with missing signatures +</A></li> + <LI>Next message: <A HREF="021035.html">[Mageia-dev] Problem with missing signatures +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#21034">[ date ]</a> + <a href="thread.html#21034">[ thread ]</a> + <a href="subject.html#21034">[ subject ]</a> + <a href="author.html#21034">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Sat, Dec 29, 2012 at 7:44 PM, Kamil Rytarowski <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">n54 at gmx.com</A>> wrote: +><i> On 29.12.2012 20:11, Pascal Terjan wrote: +</I>>><i> +</I>>><i> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">n54 at gmx.com</A>> wrote: +</I>>>><i> +</I>>>><i> Hello! +</I>>>><i> +</I>>>><i> Could we add a trigger to prevent unsigned packages from being uploaded? +</I>>>><i> +</I>>>><i> I've faced again bunch of unsigned packages.. and when I was trying to +</I>>>><i> rebuild plexus-i18n against missing signature, with bumping the release - +</I>>>><i> the build system said it's already built with that version [1]. +</I>>>><i> +</I>>>><i> How is it possible? I have checked the history of this package.. and it +</I>>>><i> was +</I>>>><i> never released as the version in the build system. +</I>>>><i> +</I>>>><i> Am I missing something? Was there an attack and a package injection? +</I>>>><i> +</I>>>><i> Kamil +</I>>>><i> +</I>>>><i> [1] +</I>>>><i> +</I>>>><i> <A HREF="http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589">http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589</A> +</I>>><i> +</I>>><i> It seems someone manually uploaded the package on December 1st, after +</I>>><i> building it on a machine named karamel, this seems to be dmorgan's +</I>>><i> machine +</I>><i> +</I>><i> Thank you Pascal for your reply, so it was injected (in other words +</I>><i> "manually uploaded"). +</I>><i> +</I>><i> I may understand that in some circumstances there is a need to do manual +</I>><i> operations over our buildservers, but please for the sake of security and +</I>><i> credibility of Mageia prohibit uploading locally built packages into the +</I>><i> outside world, servers! Without it a user or developer cannot see if a local +</I>><i> mirror (or someone in-the-middle) is injecting Trojan packages or not. +</I> +This is not supposed to happen but can be done temporarily by +sysadmins (usually for some kind of bootstraping when you need the +package to be on the mirrors to be able to upload it or another one it +requires). It seems it was the case but dmorgan forgot to upload the +correct package afterwards. + +We should definitely improve things so that this is logged and +packages get signed when uploaded manually by admins. +</PRE> + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="021032.html">[Mageia-dev] Problem with missing signatures +</A></li> + <LI>Next message: <A HREF="021035.html">[Mageia-dev] Problem with missing signatures +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#21034">[ date ]</a> + <a href="thread.html#21034">[ thread ]</a> + <a href="subject.html#21034">[ subject ]</a> + <a href="author.html#21034">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |