On 07/02/2017 11:38 PM, Eli Schwartz wrote:
Let's make this clear: None of these claims are true! At all! Not even one of them!
You just say its not true, but that is wrong. I've wrote a statement for every link he pointed out in which way it is valid or not.
You have grabbed the troll bait! Please don't do that. Also, you're wrong.
You are also a troll, as you just block with "STOP TROLLING". That is even more annoying to me.
Posting about these packages and attempting to shame their maintainers on the mailing list is unacceptable, in the way posting to the mailing list about the chemical composition of peanut butter is unacceptable.
Yes, we should not shame specific people, I've learned this myself. He picked a few packages from few maintainers. We DO have SERIOUS security issues in PGBUILDs that we CAN fix, but just dont, because of no obvious reason.
systemd is validated with GPG, it doesn't matter whether the download transport is checked against the cacert system. GPG already ensures that this package cannot sneakily use a source that isn't signed with the validpgpkeys.
Yes the GPG signature of the tag commit is checked. However you can attack the git metadata and set a tag to a different commit. If this commit is signed, but at an older stage which is vulnearable, we have an issue. Just one example. So we should always also secure the transport layer. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presen... You are just complaining the loudest. Doesnt mean you are right, nor better. If we just fix our PKGBUILDs, noone can troll. How do you think can we improve the PKGBUILD security if we reject suggestions like this? What would be your plan? Waiting for an attacker to proof that we should have fixed our PKGBUILDs earlier?