[arch-general] Sébastien Luttringer and Tobias Powalowski

Morten Linderud morten at linderud.pw
Sun Jul 2 23:06:04 UTC 2017


On Mon, Jul 03, 2017 at 01:01:35AM +0200, Ismael Bouya wrote:
> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
> > But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life.
> > Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he
> > wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
> > 
> > You also didn't really reply about the threat model.
> 
> If I understand correctly what Nicohood meant,
> what could happen is that version X of systemd (or anything else) has a
> well known vulnerability, fixed in X+1. X+1 is packaged, so anyone
> up to date thinks "good I'm safe now". But since a man in the middle can
> force to download version X (signed by the systemd maintainer so
> considered "secure"), he can force you to download that version when you
> create the package and you'll think you have the safe version while
> having the unsafe one.
> 
> If that happens to the packager in archlinux, then you poisoned all
> archlinux users.
> 
> (but then, the md5sum will be wrong anyway?)
> -- 
> Ismael


At this point we can't trust the trusted users to build and verify the correct packages, let alone maintaine a safe
infrastructure to build packages. This is a slippery slope, and i really fucking hope this isn't a serious issue any
devs or TUs are afraid of.


-- 
Morten Linderud

PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170703/09e72fe8/attachment.asc>


More information about the arch-general mailing list