FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-05-2011, 03:53 AM
Paul Wouters
 
Default vsftpd in the news

On Tue, 5 Jul 2011, Misha Shnurapet wrote:

>> The backdoor payload is interesting. In response to a smiley face in the FTP username, a TCP callback shell is attempted.
>
>> There is no obfuscation.
>
> I have a question: how does that relate to our package building process, and are GPG signatures verified?

For Fedora, package maintainers are responsible for uploading verified tar balls to the fedora build
system. I know I check the gpg signatures on the ones I upload, though these are not always available
as separate sig files.

It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
automatically check the tar ball.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 04:27 AM
Michael Cronenworth
 
Default vsftpd in the news

On 07/04/2011 10:53 PM, Paul Wouters wrote:
> It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
> automatically check the tar ball.

Hm, yes. It would be nice to see Koji support checking source sigs. OBS
already does so. Seeing as Debian has done this for years with the
source .deb including a signature file, RPM >4.9 could support sigs for
the Source0 file.

In the mean time, perhaps AutoQA could have a check added against the
source checksum?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 08:46 AM
Michael Schwendt
 
Default vsftpd in the news

On Mon, 4 Jul 2011 23:53:38 -0400 (EDT), PW (Paul) wrote:

> It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
> automatically check the tar ball.

Some packagers do upload the detached sig and add it to the spec
as another Source file URL.

The uploaded tarball checksum enters the "sources" file in git, and any
tarball downloaded from the lookaside cache MUST match that checksum.
Else it wouldn't be downloaded and used. Source RPM build in koji would
fail.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 09:01 AM
Andreas Schwab
 
Default vsftpd in the news

Michael Schwendt <mschwendt@gmail.com> writes:

> The uploaded tarball checksum enters the "sources" file in git, and any
> tarball downloaded from the lookaside cache MUST match that checksum.
> Else it wouldn't be downloaded and used. Source RPM build in koji would
> fail.

That won't help if the tarball is already defective when uploaded. The
checksum is basically only used to identify the blob in the cache, at
most to detect cache corruptions.

Andreas.

--
Andreas Schwab, schwab@redhat.com
GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E
"And now for something completely different."
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 09:13 AM
Nils Philippsen
 
Default vsftpd in the news

On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote:
> On 07/04/2011 10:53 PM, Paul Wouters wrote:
> > It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
> > automatically check the tar ball.
>
> Hm, yes. It would be nice to see Koji support checking source sigs. OBS
> already does so. Seeing as Debian has done this for years with the
> source .deb including a signature file, RPM >4.9 could support sigs for
> the Source0 file.

Making Source0 a special case sounds rather dirty to me, if at all such
functionality should be available for all source files (and patches
eventually).

Furthermore, just having a signature file doesn't help a bit if you
can't be sure who created the signature... and I suspect if we were to
restrict ourselves to upstream packages that a) have gpg signatures b)
from keypairs not more than a certain "distance" (web-of-trust-wise)
away from a known good keypair, we'd be able to trim down the package
repositories substantially ;-). So for the time being I guess we should
stick with letting package maintainers check this (of there is anything
to check).

Nils
--
Nils Philippsen "Those who would give up Essential Liberty to purchase
Red Hat a little Temporary Safety, deserve neither Liberty
nils@redhat.com nor Safety." -- Benjamin Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 10:31 AM
Michael Schwendt
 
Default vsftpd in the news

On Tue, 05 Jul 2011 11:01:15 +0200, AS (Andreas) wrote:

> > The uploaded tarball checksum enters the "sources" file in git, and any
> > tarball downloaded from the lookaside cache MUST match that checksum.
> > Else it wouldn't be downloaded and used. Source RPM build in koji would
> > fail.
>
> That won't help if the tarball is already defective when uploaded. The
> checksum is basically only used to identify the blob in the cache, at
> most to detect cache corruptions.

And I didn't claim otherwise.

The post I replied to already had mentioned:

| For Fedora, package maintainers are responsible for uploading verified
| tar balls to the fedora build system.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 04:59 PM
Adam Williamson
 
Default vsftpd in the news

On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote:

> In the mean time, perhaps AutoQA could have a check added against the
> source checksum?

That sounds like an excellent idea for a contribution! Remember, the
AutoQA project is explicitly designed to allow and indeed encourage
tests to be contributed - we would love it if the core AutoQA team
worked mostly on the framework, and tests were contributed by many
people. See https://fedoraproject.org/wiki/Writing_AutoQA_Tests .
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 05:15 PM
Adam Williamson
 
Default vsftpd in the news

On Tue, 2011-07-05 at 11:13 +0200, Nils Philippsen wrote:
> On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote:
> > On 07/04/2011 10:53 PM, Paul Wouters wrote:
> > > It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
> > > automatically check the tar ball.
> >
> > Hm, yes. It would be nice to see Koji support checking source sigs. OBS
> > already does so. Seeing as Debian has done this for years with the
> > source .deb including a signature file, RPM >4.9 could support sigs for
> > the Source0 file.
>
> Making Source0 a special case sounds rather dirty to me, if at all such
> functionality should be available for all source files (and patches
> eventually).
>
> Furthermore, just having a signature file doesn't help a bit if you
> can't be sure who created the signature... and I suspect if we were to
> restrict ourselves to upstream packages that a) have gpg signatures b)
> from keypairs not more than a certain "distance" (web-of-trust-wise)
> away from a known good keypair, we'd be able to trim down the package
> repositories substantially ;-). So for the time being I guess we should
> stick with letting package maintainers check this (of there is anything
> to check).

I didn't see any suggestion that packages be *required* to have a
signature, only that we somehow run an automated check on one if there
is one.

Rather than making specific Source numbers special case, why not just go
on naming? The convention for signatures is to add an extension to the
name of the tarball the signature is for; that shouldn't be too hard to
implement, I don't think.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 05:43 PM
Benjamin Lewis
 
Default vsftpd in the news

On 07/05/2011 05:15 PM, Adam Williamson wrote:
>
> I didn't see any suggestion that packages be *required* to have a
> signature, only that we somehow run an automated check on one if there
> is one.
>
> Rather than making specific Source numbers special case, why not just go
> on naming? The convention for signatures is to add an extension to the
> name of the tarball the signature is for; that shouldn't be too hard to
> implement, I don't think.

Surely the automated testing tool would need a way of being fed
known-trusted public keys in advance as well?

--
Benjamin Lewis
Returning Officer and Past-President
Durham Union Society

Mobile: +44 7540 379074 Office: +44 191 384 3724
Pemberton Buildings, Palace Green, Durham

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-05-2011, 08:56 PM
Miloslav Trmańć
 
Default vsftpd in the news

On Tue, Jul 5, 2011 at 7:43 PM, Benjamin Lewis <ben.lewis@benl.co.uk> wrote:
> On 07/05/2011 05:15 PM, Adam Williamson wrote:
>>
>> I didn't see any suggestion that packages be *required* to have a
>> signature, only that we somehow run an automated check on one if there
>> is one.
>>
>> Rather than making specific Source numbers special case, why not just go
>> on naming? The convention for signatures is to add an extension to the
>> name of the tarball the signature is for; that shouldn't be too hard to
>> implement, I don't think.
>
> Surely the automated testing tool would need a way of being fed
> known-trusted public keys in advance as well?

Unless my memory is failing me, we already had a mechanism for this
(specifying the trusted keys and verifying signatures) in the CVS
package repository (in Makefile.common). Perhaps most of that could
be reused.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 12:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org