[aur-general] Build packages without Arch on pkgbuild.com

Florian Pritz bluewind at xinu.at
Sun Apr 8 11:49:58 UTC 2018

On 08.04.2018 05:01, Eli Schwartz via aur-general wrote:
> If you're really afraid of someone running as either your user, or some
> user with the power to hijack your SSH session, while you're trying to
> sign something, then they could just switch out your built files anyway.
> There's literally no solution there, except to build everything on your
> machine and not use soyuz at all. "clave" won't help either, because
> it's got the same fundamental problem of not actually being your trusted
> machine from beginning to end.

Yes, the built files may not be trustworthy if an attacker is present,
but the potential scope of this is limited to our package files.

The problem with agent forwarding is that people generally configure
their agent to cache passwords so they don't have to unlock their keys
all the time. With that in mind, an attacker can just request that the
agent signs something after the package has been signed and there won't
be any dialog popping up. That includes trust signatures on the
attacker's key or just messages to prove that they are someone else.

Also people might have more than one key in their agent. If you have gpg
and ssh keys in there, the attacker can just connect to other machines
by using your forwarded agent's ssh key. Also, again there probably
won't be a prompt since the password is usually cached.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20180408/6b578b63/attachment.asc>

More information about the aur-general mailing list