[arch-general] Harassment by David Runge

Tharre tharre3 at gmail.com
Sat May 11 16:58:37 UTC 2019

For clarity,

On 05/11, Marc Lehmann via arch-general wrote:
> He replied that the arch build system automatically treats all .sig files
> as gpg signatures, and that this can't be switched off; that the signature
> for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and
> claimed this affects all of the file signatures.

This is indeed the case, see [0].

> I in turn replied that I consider this a candidate for a bug report
> against the arch build system, as it shouldn't enforce treatment of
> random .sig file as gpg signature. I also pointed out that it is a
> security bug if arch linux treats .sig files without a hardcoded or
> otherwise authenticated gpg key id, and shouldn't rely on a random
> openpgp signature, even if that signature verifies. I did mention that
> I can hardly imagine that the arch build system would be that broken
> however.

But this part is not, i.e. makepkg will only accept signatures from
key(s) whose fingerprint are specified in validpgpkeys, and will not
accept other random signatures.  So there is no security issue here.

I hope that was helpful.



[0] https://wiki.archlinux.org/index.php/PKGBUILD#Sources

PGP fingerprint: 42CE 7698 D6A0 6129 AA16  EF5C 5431 BDE2 C8F0 B2F4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190511/6b6ccc44/attachment.sig>

More information about the arch-general mailing list