[Mageia-dev] Problem with missing signatures

Sat Dec 29 20:49:47 CET 2012

On Sat, Dec 29, 2012 at 7:44 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
+> On 29.12.2012 20:11, Pascal Terjan wrote:
+>>
+>> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
+>>>
+>>> Hello!
+>>>
+>>> Could we add a trigger to prevent unsigned packages from being uploaded?
+>>>
+>>> I've faced again bunch of unsigned packages.. and when I was trying to
+>>> rebuild plexus-i18n against missing signature, with bumping the release -
+>>> the build system said it's already built with that version [1].
+>>>
+>>> How is it possible? I have checked the history of this package.. and it
+>>> was
+>>> never released as the version in the build system.
+>>>
+>>> Am I missing something? Was there an attack and a package injection?
+>>>
+>>> Kamil
+>>>
+>>> [1]
+>>>
+>>> http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
+>>
+>> It seems someone manually uploaded the package on December 1st, after
+>> building it on a machine named karamel, this seems to be dmorgan's
+>> machine
+>
+> Thank you Pascal for your reply, so it was injected (in other words
+> "manually uploaded").
+>
+> I may understand that in some circumstances there is a need to do manual
+> operations over our buildservers, but please for the sake of security and
+> credibility of Mageia prohibit uploading locally built packages into the
+> outside world, servers! Without it a user or developer cannot see if a local
+> mirror (or someone in-the-middle) is injecting Trojan packages or not.
+
+This is not supposed to happen but can be done temporarily by
+sysadmins (usually for some kind of bootstraping when you need the
+package to be on the mirrors to be able to upload it or another one it
+requires). It seems it was the case but dmorgan forgot to upload the
+correct package afterwards.
+
+We should definitely improve things so that this is logged and
+packages get signed when uploaded manually by admins.
+