[arch-general] Sébastien Luttringer and Tobias Powalowski

Ismael Bouya ismael.bouya at normalesup.org
Sun Jul 2 23:01:35 UTC 2017


(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life.
> Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he
> wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
> 
> You also didn't really reply about the threat model.

If I understand correctly what Nicohood meant,
what could happen is that version X of systemd (or anything else) has a
well known vulnerability, fixed in X+1. X+1 is packaged, so anyone
up to date thinks "good I'm safe now". But since a man in the middle can
force to download version X (signed by the systemd maintainer so
considered "secure"), he can force you to download that version when you
create the package and you'll think you have the safe version while
having the unsafe one.

If that happens to the packager in archlinux, then you poisoned all
archlinux users.

(but then, the md5sum will be wrong anyway?)
-- 
Ismael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170703/1a3ef4dc/attachment.asc>


More information about the arch-general mailing list