On Mon, Jul 03, 2017 at 01:01:35AM +0200, Ismael Bouya wrote:
(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life. Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
You also didn't really reply about the threat model.
If I understand correctly what Nicohood meant, what could happen is that version X of systemd (or anything else) has a well known vulnerability, fixed in X+1. X+1 is packaged, so anyone up to date thinks "good I'm safe now". But since a man in the middle can force to download version X (signed by the systemd maintainer so considered "secure"), he can force you to download that version when you create the package and you'll think you have the safe version while having the unsafe one.
If that happens to the packager in archlinux, then you poisoned all archlinux users.
(but then, the md5sum will be wrong anyway?) -- Ismael
At this point we can't trust the trusted users to build and verify the correct packages, let alone maintaine a safe infrastructure to build packages. This is a slippery slope, and i really fucking hope this isn't a serious issue any devs or TUs are afraid of. -- Morten Linderud PGP: 9C02FF419FECBE16