Re: [Mageia-dev] Problem with missing signatures
On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski n...@gmx.com wrote: Hello! Could we add a trigger to prevent unsigned packages from being uploaded? I've faced again bunch of unsigned packages.. and when I was trying to rebuild plexus-i18n against missing signature, with bumping the release - the build system said it's already built with that version [1]. How is it possible? I have checked the history of this package.. and it was never released as the version in the build system. Am I missing something? Was there an attack and a package injection? Kamil [1] http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801r2=335589 It seems someone manually uploaded the package on December 1st, after building it on a machine named karamel, this seems to be dmorgan's machine
Re: [Mageia-dev] Problem with missing signatures
On 29.12.2012 20:11, Pascal Terjan wrote: On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski n...@gmx.com wrote: Hello! Could we add a trigger to prevent unsigned packages from being uploaded? I've faced again bunch of unsigned packages.. and when I was trying to rebuild plexus-i18n against missing signature, with bumping the release - the build system said it's already built with that version [1]. How is it possible? I have checked the history of this package.. and it was never released as the version in the build system. Am I missing something? Was there an attack and a package injection? Kamil [1] http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801r2=335589 It seems someone manually uploaded the package on December 1st, after building it on a machine named karamel, this seems to be dmorgan's machine Thank you Pascal for your reply, so it was injected (in other words manually uploaded). I may understand that in some circumstances there is a need to do manual operations over our buildservers, but please for the sake of security and credibility of Mageia prohibit uploading locally built packages into the outside world, servers! Without it a user or developer cannot see if a local mirror (or someone in-the-middle) is injecting Trojan packages or not.
Re: [Mageia-dev] Problem with missing signatures
On Sat, Dec 29, 2012 at 7:44 PM, Kamil Rytarowski n...@gmx.com wrote: On 29.12.2012 20:11, Pascal Terjan wrote: On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski n...@gmx.com wrote: Hello! Could we add a trigger to prevent unsigned packages from being uploaded? I've faced again bunch of unsigned packages.. and when I was trying to rebuild plexus-i18n against missing signature, with bumping the release - the build system said it's already built with that version [1]. How is it possible? I have checked the history of this package.. and it was never released as the version in the build system. Am I missing something? Was there an attack and a package injection? Kamil [1] http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801r2=335589 It seems someone manually uploaded the package on December 1st, after building it on a machine named karamel, this seems to be dmorgan's machine Thank you Pascal for your reply, so it was injected (in other words manually uploaded). I may understand that in some circumstances there is a need to do manual operations over our buildservers, but please for the sake of security and credibility of Mageia prohibit uploading locally built packages into the outside world, servers! Without it a user or developer cannot see if a local mirror (or someone in-the-middle) is injecting Trojan packages or not. This is not supposed to happen but can be done temporarily by sysadmins (usually for some kind of bootstraping when you need the package to be on the mirrors to be able to upload it or another one it requires). It seems it was the case but dmorgan forgot to upload the correct package afterwards. We should definitely improve things so that this is logged and packages get signed when uploaded manually by admins.
Re: [Mageia-dev] Problem with missing signatures
On Sat, Dec 29, 2012 at 7:49 PM, Kamil Rytarowski n...@gmx.com wrote: Hello! Could we add a trigger to prevent unsigned packages from being uploaded? I've faced again bunch of unsigned packages.. and when I was trying to rebuild plexus-i18n against missing signature, with bumping the release - the build system said it's already built with that version [1]. How is it possible? I have checked the history of this package.. and it was never released as the version in the build system. Am I missing something? Was there an attack and a package injection? Kamil [1] http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801r2=335589 fixed
Re: [Mageia-dev] Problem with missing signatures
On 29.12.2012 21:03, D.Morgan wrote: On Sat, Dec 29, 2012 at 7:49 PM, Kamil Rytarowski n...@gmx.com wrote: Hello! Could we add a trigger to prevent unsigned packages from being uploaded? I've faced again bunch of unsigned packages.. and when I was trying to rebuild plexus-i18n against missing signature, with bumping the release - the build system said it's already built with that version [1]. How is it possible? I have checked the history of this package.. and it was never released as the version in the build system. Am I missing something? Was there an attack and a package injection? Kamil [1] http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801r2=335589 fixed Thank you