On 29.12.2012 20:11, Pascal Terjan wrote:
On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <[email protected]> wrote:
Hello!
Could we add a trigger to prevent unsigned packages from being uploaded?
I've faced again bunch of unsigned packages.. and when I was trying to
rebuild plexus-i18n against missing signature, with bumping the release -
the build system said it's already built with that version [1].
How is it possible? I have checked the history of this package.. and it was
never released as the version in the build system.
Am I missing something? Was there an attack and a package injection?
Kamil
[1]
http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
It seems someone manually uploaded the package on December 1st, after
building it on a machine named karamel, this seems to be dmorgan's
machine
Thank you Pascal for your reply, so it was injected (in other words
"manually uploaded").
I may understand that in some circumstances there is a need to do manual
operations over our buildservers, but please for the sake of security
and credibility of Mageia prohibit uploading locally built packages into
the outside world, servers! Without it a user or developer cannot see if
a local mirror (or someone in-the-middle) is injecting Trojan packages
or not.
