[Mageia-dev] Problem with missing signatures

Sat Dec 29 20:44:04 CET 2012

On 29.12.2012 20:11, Pascal Terjan wrote:
+> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
+>> Hello!
+>>
+>> Could we add a trigger to prevent unsigned packages from being uploaded?
+>>
+>> I've faced again bunch of unsigned packages.. and when I was trying to
+>> rebuild plexus-i18n against missing signature, with bumping the release -
+>> the build system said it's already built with that version [1].
+>>
+>> How is it possible? I have checked the history of this package.. and it was
+>> never released as the version in the build system.
+>>
+>> Am I missing something? Was there an attack and a package injection?
+>>
+>> Kamil
+>>
+>> [1]
+>> http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
+> It seems someone manually uploaded the package on December 1st, after
+> building it on a machine named karamel, this seems to be dmorgan's
+> machine
+Thank you Pascal for your reply, so it was injected (in other words 
+"manually uploaded").
+
+I may understand that in some circumstances there is a need to do manual 
+operations over our buildservers, but please for the sake of security 
+and credibility of Mageia prohibit uploading locally built packages into 
+the outside world, servers! Without it a user or developer cannot see if 
+a local mirror (or someone in-the-middle) is injecting Trojan packages 
+or not.
+