[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Dimitrios Apostolou jimis at gmx.net
Tue Jun 15 10:55:37 EDT 2010


On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
> On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis at gmx.net> wrote:
>> Moreover, instead of building all packages in the private PCs of developers,
>> I think it is preferable to submit PKGBUILDs to build servers (via web
>> interface maybe) and let the servers do the build + signing + repoupdate...
>> That way if a developer's system gets compromised his packages will stay
>> clean. Of course that needs extra work and equipment, but perhaps we can
>> agree to it as a future target.
>
> Well, in fact, that is the very problem we have. The repository
> database files are created remotely and I think that we should avoid
> signing files remotely. In fact, a dev's machine is less visible than
> the servers of Arch. And sse the response from Ionut too.

Let me just clarify here that by "build server" I mean a machine where 
developers have *not* shell access (and in fact almost nobody has), and by 
"package signing" I mean signing with a specific archlinux key which is 
unknown (the private part) to most devs. Some distros follow that approach 
to security.

What you are proposing is package signing by developer keys, 
that's a different approach. I am just bringing up alternatives.


Dimitris


BTW I don't think that building inside a compromised system is in any way 
secure, even if building inside a chroot.


More information about the arch-general mailing list