[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fedora-devel] Safety of rpmbuild --sign?



On Sun, Mar 30, 2003 at 11:30:29PM -1000, Warren Togami wrote:
> I was just thinking...
> 
> Who uses rpmbuild --sign rather than rpm --addsign for package
> signing?  While rpmbuild --sign works, isn't there the possibility for
> security danger if you build a package with a trojan in the build
> system?  It could *possibly* read your ~/.gnupg directory and send it
> over the Internet, right?

That does sound possible and sendible. I didn't even know you could do
them both at once.

> I personally always keep the build user and signer separated.  I am
> gaining a small bit of safety right?

Sounds like it. Especially in an automated build that makes sense. It
might be neat if the build system in one way or another gave you diffs
from the previous version's source and waited for a green light to
build. Then again, with possible patches etc the build process is
probably interactive at least in some ways and packages.

Another thing a separate sign user could do is run some (automatic)
tests on the package. Make sure it contains the right files in right
places with right permissions (no build user owned files!) and has or
has not the right pre/post scripts and information fields.

Sort of an assembly line setup there.

-- 
kernel, n.: A part of an operating system that preserves the
medieval traditions of sorcery and black art.
		-- from .sig of Danny Cox (unattributed)





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []