[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Sat Jul 5 04:08:35 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Fri, Jul 4, 2014 at 11:15 AM, Karanbir Singh <mail-lists at karan.org> wrote:
> On 07/04/2014 02:46 PM, Nico Kadel-Garcia wrote:
>>                Please consider the use of signed GPG tags for actual
>> SRPM updates, rather than merely relying on '[package].metadata, to
>> help assure provenance for people who may test or rebuild security
>> components.
>
> the content you get is pushed over https, the implementation on
> git.centos.org seems fairly secure. the content into the machine is via
> ssh, over a guranteed ( in as much as network can be guranteed ) link.
>
> we are also preventing anyone else from being able to commit with the
> source importer username/email and or using the word 'import' as the
> first chat in the commit.

Thanks. But Karanbir, "commit" is not the problem I'm referring to.
It's the ability to substitute a trojaned, fake repository in between
you and the client, to commit a "man-in-the-m8iddle" attack Valid SSL
certificates, and a clean repoository at git.centos.org: the ability
to verify a particulr "tag" with a GPG tag, particularly a cloned
local working copy with the "tags" from upstream for reference, is
invaluable. Red Hat's, and CentOS's, SRPM repositories avoided this by
having GPG signed SRPM's for reference. The GPG signature chain is
more safely managed and verified, in many ways, than the SSL has been.

> some of this is convention, but as the source that we consume, we are
> fairly sure of what is going through. If there are any specific concerns
> about code, do point them out - and if its security related, then email
> security at centos.org instead of a public list.

I'll take this issue over there.

> regards
>
> --
> Karanbir Singh
> +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
> GnuPG Key : http://www.karan.org/publickey.asc
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel