I propose the following patch, which removes the gpg --verify of the ssh tarball and replaces it with an md5sum. gpg --verify has a requirement on the building user's config, which makes it impossible to use in automated build environments. It also provides a false sense of security, since without a trust path, the verification is invalid.
However, if we assume that the user already trusts the systemimager code base, then a provided md5sum should be sufficient. Though adding some trust with respect to the openssh tarball is a step in the right direction, it alone provides very little to ensure a secure environment - during an installation, we run all of our binaries with root priveleges, any of which could be accessing kernel memory (the kernel itself being the prime example). NOTE: I have not verified the signature of the file I downloaded to calculate the md5sum below because I don't know of a trust path I have to that key. Index: make.d/openssh.rul =================================================================== RCS file: /cvsroot/systemimager/systemimager/make.d/openssh.rul,v retrieving revision 1.18 diff -u -p -u -r1.18 openssh.rul --- make.d/openssh.rul 12 Oct 2004 15:46:00 -0000 1.18 +++ make.d/openssh.rul 14 Oct 2004 04:36:26 -0000 @@ -9,6 +9,7 @@ OPENSSH_VERSION := 3.8.1p1 OPENSSH_DIR := openssh-$(OPENSSH_VERSION) OPENSSH_TARBALL := openssh-$(OPENSSH_VERSION).tar.gz +OPENSSH_MD5SUM := 1dbfd40ae683f822ae917eebf171ca42 OPENSSH_TARBALL_TARGET := $(SRC_DIR)/$(OPENSSH_TARBALL) OPENSSH_URL := http://alpaca.mcs.anl.gov/openssh/portable/$(OPENSSH_TARBALL) OPENSSH_BINARIES := $(SRC_DIR)/$(OPENSSH_DIR)/ssh \ @@ -40,14 +41,7 @@ $(OPENSSH_BINARIES): $(SRC_DIR)/openssh_ $(MAKE) -C $(SRC_DIR)/$(OPENSSH_DIR) $(SRC_DIR)/openssh_verify.stamp: $(OPENSSH_TARBALL_TARGET) - # - # If the following command fails, you may need to do a - # - # gpg --keyserver gpg.dtype.org --recv-keys <KEYID> - # - # with the "DSA key ID" listed below. - # - gpg --verify $(SRC_DIR)/$(OPENSSH_TARBALL).sig $(SRC_DIR)/$(OPENSSH_TARBALL) + [ "$(shell md5sum $(OPENSSH_TARBALL_TARGET) | cut -d' ' -f1)" == "$(OPENSSH_MD5SUM)" ] touch $(SRC_DIR)/openssh_verify.stamp $(OPENSSH_TARBALL_TARGET): ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Sisuite-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/sisuite-devel
