fedora-startqa
Toshio
toshio at tiki-lounge.com
Fri Apr 2 15:46:24 UTC 2004
On Fri, 2004-04-02 at 01:43, Aurelien Bompard wrote:
> > - (Showing my ignorance of mach) How safe is it to build untrusted
> > sources within mach? since mach builds the package before the user gets
> > a chance to go look at whether the Source URL is canonical, I was
> > wondering....
>
> Well, you can read the spec file before building in mach, so you can look at
> the URLs for the sources, start you browser and have a look. Is that what
> you mean ?
Two problems:
1) In batch mode, the human element is missing. If it is insecure,
there needs to be a way to disable mach building from the commandline.
2) If the script is aimed at newbies, there should be a warning of the
potential dangers of building the source package and what can be done to
reduce that risk. In qa-assistant's checklist, I tried to create a list
of High Security items that should be evaluate before the reviewer
started doing anything else. Maybe a list like that (minus things that
are checked automatically) spit out to the screen before viewing the
spec file?
> > - The first time I ran it, the script errored out because there was an
> > old version of an md5sum file on the server that didn't have the package
> > version I had up there.
>
> Can you give me a bug id ?
>
I corrected the out of date md5sum file (It was with a package that I
had control over.) I'll try re-provoking the bug (or tracing it in the
code) when I have a bit of time.
> > However, GPG signed SRPMs are equivalent to
> > checking a GPG signed md5sum file that has an md5sum for the SRPM. So
> > my view is if the GPG signature on the SRPM is good and the MD5SUM file
> > doesn't contradict it (ie: different signing keys, different MD5Sums for
> > the same file) it shouldn't error out.
>
> Yes, there is this -c option to disable srpm md5sum checking.
>
I'll give this a try too. I think, though, what I want is for the
script to automatically make a decision that an SRPM with a valid GPG
does not have to have it's md5sum checked.
Slightly more paranoid is to make the following checks:
1] GPG signature of SRPM
2] Is the md5sum of the relevant SRPM in the md5sum file?
3] GPG signature of md5sum file
4] Did the same key sign both files?
If all pass, then pass the test.
If 1] Pass and 2] Is fail, pass the test.
All other cases fail.
--
_______S________U________B________L________I________M________E_______
t o s h i o + t i k i - l o u n g e . c o m
GA->ME 1999
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040402/4c599123/attachment.sig>
More information about the fedora-devel-list
mailing list