[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Re: Limiting who can create v${NUMBER}.${NUMBER}.${NUMBER} tags in KDE Applications git repos
From: Christian Mollekopf <chrigi_1 () fastmail ! fm>
Date: 2018-06-25 11:22:19
Message-ID: 1529925739.2016889.1419389720.3D048BD6 () webmail ! messagingengine ! com
[Download RAW message or body]
On Mon, Jun 25, 2018, at 10:56 AM, Rolf Eike Beer wrote:
> Ben Cooksley wrote:
> > On Mon, Jun 25, 2018 at 6:57 PM, Rolf Eike Beer
> > <kde@opensource.sf-tec.de> wrote:
> > > Am 2018-06-24 22:56, schrieb Albert Astals Cid:
> > > >
> > > > Hi, would anyone be against limiting who can create
> > > > v${NUMBER}.${NUMBER}.${NUMBER}
> > > > i.e. tags that look like our release tags to members of the release
> > > > team
> > > > for
> > > > the KDE Applications git repositories?
> > > >
> > > > Rationale: Some distros build from git tags so creating a "release
> > > > looking
> > > > tag" is for them like "using the release tarball" and we already
> > > > limit who
> > > > can
> > > > upload release tarballs to the download.kde.org so it would be a
> > > > similar
> > > > restriction but for the git side.
> > >
> > >
> > > This sounds sane to me. Simply require those tags to be signed by
> > > $key_in_known_good_list.
> >
> > Given the recent security issues surrounding interaction with GPG done
> > by external programs, I would rather not perform key verification.
>
> Which one do you mean? The EFFfail one, that was about tricking mail
> clients into data exfiltration (which is not relevant here)? The one
> where the embedded filename was not properly sanitized (CVE-2018-12020)
> and every distro should already have a patch deployed? Or the side
> channel attacks to recover the private key that is not on the git
> machine at all?
>
> Sorry, but not doing GnuPG is always the worse option.
>
Having looked at the EFAIL vulnerability in particular I agree I see no reason to not \
do key verification. Any processing in principle has potential for vulnerabilities, \
but verifying a signature with a public key is IMO not any more dangerous than any \
other arbitrary operation or script.
Cheers,
Christian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic