Hello All, Just yesterday I was learning libretools and how the packaging works on Parbola GNU/Linux-libre. I am used to compiling some things for Arch and was surprised at one of the key differences - one that I think can be classified as a "major" security flaw in the build process.
When making packages normally, one needs only edit /etc/makepkg.conf, and add GPG="keyid". Then to make a package from the PKGBUILD, simply run: makepkg The package will be compiled, and immediately signed with the packager's key during compile process. However, libremakepkg disables this feature. The compiled binary package is left unsigned. This means that up until the packager manually sign's the package with his/her key and/or it is done at the librerelease stage, the binary is unprotected. Example compile: http://termbin.com/9p3o Note this part particularly: | ==> Signing package... | ==> WARNING: Failed to sign package file. This allows two security risks. 1) Someone or something could modify the package while it's sitting around waiting to be uploaded on the packager's computer. 2) If librerelease is signing binaries only, what is to prevent someone from taking a random modified binary and pushing it to the main repo with their key? Lukeshu caught this important bug 12 months ago: https://labs.parabola.nu/issues/567 Hence, I agree with lukeshu. The packages must, at the very least, be signed closer to the source. In Summary: Librerelease shouldn't be signing packages, it should be gpg --verifying them before uploading; and libremakepkg needs to be able to sign packages during compile as upstream does.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
