[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Sat Jul 5 18:39:48 UTC 2014
Ljubomir Ljubojevic <centos at plnet.rs>

On 07/05/2014 08:21 PM, Johnny Hughes wrote:
> On 07/05/2014 01:11 PM, Mark Mielke wrote:
>> I might be misunderstanding this thread... but if package signing
>> and/or message digest are not being applied to SRPM, I also agree this
>> is a problem.
> We will sign all RPMs and SRPMs that we release ... this is about the
> git tree.
> <snip>

Mark, CentOS devs suggested that it is better to build (your own
packages like Scientific Linux people for example) from git then RPMS,
to better reproduce entire building process so Nico is arguing/pointing
possible caveats.

Considering that, according to news articles, NSA (or other agency with
access to internet infrastructure between git.centos.org and client in
question) can intercept SSL request posing as some kind of SSL proxy,
pretending they are (for example) git.centos.org, create secure
connection to the client (which thinks it is talking to original
git.centos.org), then create secure SSL connection between agencies SSL
proxy and git.centos.org.

Once those connections is created, it is easy to inject/replace code
from git.centos.org so that back-door is introduced. Client/user
building that code (rebuilding CentOS to feel safer?) might not realize
that every single system that uses his packages is now compromised and
vulnerable to attack.

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant