(Sun, Jul 02, 2017 at 07:22:23PM -0400) Eli Schwartz via arch-general :
Okay, this I am genuinely curious about.
In what circumstances can I have: - the systemd repository cloned over the git:// protocol - an annotated tag for systemd v233 signed by Lennart Poettering. - an annotated tag for systemd v232 signed by Lennart Poettering. - a man in the middle attack - `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG ${fingerprint} that matches with Lennart's known GPG fingerprint as recorded in validpgpkeys
And as a result, when I run the git command `git checkout refs/tags/v233`, I am tricked into getting v232 instead which contains a vulnerability.
Until there, it's exactly the topic of the presentation linked by Nicohood
Also, I wouldn't be alerted by the verbose printing of the systemd version which happens during the boot process, nor by $systemd_binary --version
Then you rely only on that last two things -- Ismael