Michał Masłowski <[email protected]> writes: >> The package will be compiled, and immediately signed with the packager's >> key during compile process. > > This isn't nice for batch builds: user leaves the computer building for > hours, then runs librerelease, inputs the GPG passphrase for pinentry, > gpg-agent will cache it for a short time.
right, this was the initial decision for putting signing on librerelease. security-wise having to put the signature for each batch/unnatended build is bothersome but necessary. >> 1) Someone or something could modify the package while it's sitting >> around waiting to be uploaded on the packager's computer. > > If the developer changes file permissions so others can write to their > files, and has malicious local users or sufficient remotely-exploitable > vulnerabilities, there are much bigger problems. +1 >> 2) If librerelease is signing binaries only, what is to prevent someone >> from taking a random modified binary and pushing it to the main repo >> with their key? > > This can be solved only by not having the developers build and upload > anything to the repo. xD what happened with reproducible builds? btw i've been signing my commits to abslibre.git, i don't know how this can be useful to verify that the pkgbuild corresponds to the binary package. -- http://vqfe4xmhxzi7w2uv.onion
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
