On 07/05/2014 08:21 PM, Johnny Hughes wrote:
On 07/05/2014 01:11 PM, Mark Mielke wrote:
I might be misunderstanding this thread... but if package signing and/or message digest are not being applied to SRPM, I also agree this is a problem.
We will sign all RPMs and SRPMs that we release ... this is about the git tree.
<snip>
Mark, CentOS devs suggested that it is better to build (your own packages like Scientific Linux people for example) from git then RPMS, to better reproduce entire building process so Nico is arguing/pointing possible caveats.
Considering that, according to news articles, NSA (or other agency with access to internet infrastructure between git.centos.org and client in question) can intercept SSL request posing as some kind of SSL proxy, pretending they are (for example) git.centos.org, create secure connection to the client (which thinks it is talking to original git.centos.org), then create secure SSL connection between agencies SSL proxy and git.centos.org.
Once those connections is created, it is easy to inject/replace code from git.centos.org so that back-door is introduced. Client/user building that code (rebuilding CentOS to feel safer?) might not realize that every single system that uses his packages is now compromised and vulnerable to attack.