FS#49979 - [binutils] change the source, add the public key fingerprint, use sha512

Attached to Project: Arch Linux
Opened by . (flysprayer) - Thursday, 07 July 2016, 03:30 GMT
Last edited by Allan McRae (Allan) - Sunday, 08 January 2017, 06:29 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No
This task depends upon

Closed by  Allan McRae (Allan)
Sunday, 08 January 2017, 06:29 GMT
Reason for closing:  Won't implement
Comment by Allan McRae (Allan) - Thursday, 07 July 2016, 03:41 GMT
Why? The source is obtained from git, not a download. This is the first occasion in a long time that the build commit corresponds with a release.
Comment by Luke (Gaming4JC) - Monday, 07 November 2016, 08:15 GMT
  • Field changed: Percent Complete (100% → 0%)
In response to Allan's comment, I was able to find 2 reasons on why using git is a security problem.

1) We do not use HTTPS, which leaves us vunerable to MITM. I China even with HTTPS it is possible to be MITM'd: http://www.netresec.com/?page=Blog&month=2013-02&post=Forensics-of-Chinese-MITM-on-GitHub

2) The git repository itself can be hacked ( as in the past https://www.rapid7.com/db/modules/exploit/multi/http/git_client_command_exec) or social engineered: https://github.com/aguerrero/Faking-Git-Commits

For these reasons using GPG and SHA512 fingerprints of releases provides a better layer of integrity and trust.

Thanks for the consideration.
Comment by Jan de Groot (JGC) - Monday, 07 November 2016, 08:16 GMT
Obtaining sources from git is not a problem, but looking at the binutils PKGBUILD, the short commit ID is used instead of the full commit id. This could make a collision attack much easier. Please change to full commit hash.
Comment by Allan McRae (Allan) - Monday, 07 November 2016, 09:46 GMT
Git will fail if multiple commits match the commit ID. So a collision attack has no consequence.
Comment by NicoHood (NicoHood) - Sunday, 08 January 2017, 02:07 GMT
  • Field changed: Percent Complete (100% → 0%)
Allan said, that a collision attack is impossible, because git will detect if multiple commits would match the short id. However this does not apply if you take a clean git history and create your tampered git hash without the previous history. So the short hash combined with http is still a problem.
Comment by Luke (Gaming4JC) - Sunday, 08 January 2017, 04:58 GMT
Just got notification this was re-opened. Patch ready and attached.
   PKGBUILD (2.3 KiB)
Comment by . (flysprayer) - Sunday, 08 January 2017, 05:43 GMT Comment by Luke (Gaming4JC) - Sunday, 08 January 2017, 06:19 GMT
Done. Added commenting and switched to tar.bz2 in PKGBUILD.
   PKGBUILD (2.4 KiB)
Comment by Allan McRae (Allan) - Sunday, 08 January 2017, 06:29 GMT
Stop opening this - all the toolchain is built from git and this will not change.

Loading...