On Wed, Dec 17, 2014 at 12:05 PM, Levente Polyak <anthraxx@archlinux.org> wrote:
besides the "upstream stable release" discussion (which i will leave out here) i have two small questions:
On 12/17/2014 03:03 PM, Ido Rosen wrote:
On the gnupg-devel mailing list I've seen a few potentially serious security issues with it.
No offense, but out of interest:
No offense taken at all, these are good questions to ask.
Could you please point them out with some references and links what exactly you consider "potentially serious security issues" on that mailing list? If its something that was not noticed to be potentially a serious security issue, did you raise awareness about that on the list or privately to the dev?
Several security patches went into 2.1 after its release, and there continue to be patches submitted for minor issues that are borderline security/usability issues in the "bug fix" category. Most of those bugs at worst result in DoSes, but two of them in particular could result in invalid signature verification output. The 2.1.x codebase is still under relatively heavy active development (in code coverage terms) and new features seem to be going into it with every point release. This is my interpretation from following the gnupg-devel mailing list and having some familiarity with how gnupg releases have come out in the past. (Werner Koch does an excellent job of making the releases as secure as he can, but I think he has a good security reason why 2.1 isn't marked as ready for general use or stable yet. I trust him to mark 2.1 stable when he thinks it is ready for public consumption.)
On 12/17/2014 05:28 PM, Ido Rosen wrote:
[...] Someone made a mistake in upgrading to 2.1, so let's correct the mistake by downgrading back until it's safe, rather than leaving all of Arch's users at great security risk.
out of curiosity, what exactly and specifically do you consider a "great security risk" in 2.1. I would appreciate if you provide a concrete reference in 2.1 what you mean with "great security risk".
The great security risk is in reference to the fact that Arch uses gnupg to validate package repository authenticity and package authenticity, as well as other places. In practice, I see several security patches went into 2.1 after 2.1.0 was released, including some to fix bugs that only affected 2.1.0 and not 2.0.x. Some of those bugs are immediately exploitable, but it would be irresponsible to disclose which publicly (and I'm not a security researcher). For me, the bigger issue is that the developers themselves do not consider 2.1 ready for general use, and that it's the only thing preventing an Arch mirror compromise from turning into an Arch compromise.
thanks in advice, cheers, Levente