blob: 15a8e8733e1b14df081aa254e343a30f5e9a05cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Problem with missing signatures
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Problem%20with%20missing%20signatures&In-Reply-To=%3C50DF4804.8030803%40gmx.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="021031.html">
<LINK REL="Next" HREF="021034.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Problem with missing signatures</H1>
<B>Kamil Rytarowski</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Problem%20with%20missing%20signatures&In-Reply-To=%3C50DF4804.8030803%40gmx.com%3E"
TITLE="[Mageia-dev] Problem with missing signatures">n54 at gmx.com
</A><BR>
<I>Sat Dec 29 20:44:04 CET 2012</I>
<P><UL>
<LI>Previous message: <A HREF="021031.html">[Mageia-dev] Problem with missing signatures
</A></li>
<LI>Next message: <A HREF="021034.html">[Mageia-dev] Problem with missing signatures
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#21032">[ date ]</a>
<a href="thread.html#21032">[ thread ]</a>
<a href="subject.html#21032">[ subject ]</a>
<a href="author.html#21032">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On 29.12.2012 20:11, Pascal Terjan wrote:
><i> On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">n54 at gmx.com</A>> wrote:
</I>>><i> Hello!
</I>>><i>
</I>>><i> Could we add a trigger to prevent unsigned packages from being uploaded?
</I>>><i>
</I>>><i> I've faced again bunch of unsigned packages.. and when I was trying to
</I>>><i> rebuild plexus-i18n against missing signature, with bumping the release -
</I>>><i> the build system said it's already built with that version [1].
</I>>><i>
</I>>><i> How is it possible? I have checked the history of this package.. and it was
</I>>><i> never released as the version in the build system.
</I>>><i>
</I>>><i> Am I missing something? Was there an attack and a package injection?
</I>>><i>
</I>>><i> Kamil
</I>>><i>
</I>>><i> [1]
</I>>><i> <A HREF="http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589">http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589</A>
</I>><i> It seems someone manually uploaded the package on December 1st, after
</I>><i> building it on a machine named karamel, this seems to be dmorgan's
</I>><i> machine
</I>Thank you Pascal for your reply, so it was injected (in other words
"manually uploaded").
I may understand that in some circumstances there is a need to do manual
operations over our buildservers, but please for the sake of security
and credibility of Mageia prohibit uploading locally built packages into
the outside world, servers! Without it a user or developer cannot see if
a local mirror (or someone in-the-middle) is injecting Trojan packages
or not.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="021031.html">[Mageia-dev] Problem with missing signatures
</A></li>
<LI>Next message: <A HREF="021034.html">[Mageia-dev] Problem with missing signatures
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#21032">[ date ]</a>
<a href="thread.html#21032">[ thread ]</a>
<a href="subject.html#21032">[ subject ]</a>
<a href="author.html#21032">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
