[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Dec 15 18:44:16 UTC 2013


On 12/13/2013 03:33 AM, Thijs Kinkhorst wrote:
> Well, the idea of making it invalid was to see if the download would
> actually fail on that.

uscan should fail (return non-zero) if pgpsigmangleurl is present and
anything prevents full validation of the upstream source.

This won't stop the file from being downloaded, of course -- in order to
perform the signature validation, we need to download the file to be
validated first :)

If the debian package maintainer goes ahead and uses a partial download
(or a download that failed for any other reason) as their upstream
source, that is a problem regardless of whether the failure is due to an
invalid signature or any other problem.

That said, any suggestions for improving the behavior of uscan in this
context would be welcome.

> In any case, given the seemingly endless supply of security bugs being
> discovered in uscan I'm going to hold off on this for a while now.

If a packager uses uscan to check for upgrades, they are opening
themselves to some possible security vulnerabilities (including recent
ones like CVE-2013-7085).  One of the existing problems is that uscan
does nothing to verify cryptographic proofs of origin by default.

Incorporating Franz' proposed changes in the gnupg packaging would add a
layer of protection for packagers who use uscan properly, while not
increasing any risk to those packagers who do not use uscan.

And of course none of this is a substitute for human review of code
changes -- it's simply a way to require a cryptographic proof of origin
as a baseline for the review.

Incorporating this change into the gnupg packaging would be a good
thing, in my opinion.

Thanks for considering it, and for all your work on gnupg in debian.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20131215/4cd924b3/attachment.sig>


More information about the Pkg-gnupg-maint mailing list