FS#63970 - [sway] Include PGP package checking

Attached to Project: Community Packages
Opened by Brett Cornwall (ainola) - Tuesday, 01 October 2019, 01:22 GMT
Last edited by Brett Cornwall (ainola) - Tuesday, 15 October 2019, 04:02 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jaroslav Lichtblau (Dragonlord)
Alexander F. Rødseth (xyproto)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

The Github release tarballs have an accompanying .sig file. It would be good to use those.
This task depends upon

Closed by  Brett Cornwall (ainola)
Tuesday, 15 October 2019, 04:02 GMT
Reason for closing:  Fixed
Additional comments about closing:  Upstream had fixed this the day it was reported. I've released a new version that restores GPG verification. The response times for this could have been much better.

Lessons learned from this:

* Do not remove GPG keys unless there is good reason to do so (perhaps seek a second opinion)
* Unsavory comments toward fellow packagers do not help the situation and likely worsen it.
* Keep all interested parties in the loop when contacting an outside source
* Follow through quick fixes sooner rather than later, particularly when politics get involved.
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 02 October 2019, 07:50 GMT
The .sig file is not correct for the downloads that sway upstream provides. We tried to use it.
Comment by Eli Schwartz (eschwartz) - Wednesday, 02 October 2019, 08:25 GMT
  • Field changed: Status (Unconfirmed → Assigned)
  • Field changed: Category (Packages → Security)
  • Field changed: Severity (Low → High)
So instead of asking upstream what is wrong with their signature, which is *supposed* to be a red flag that maybe something has been maliciously modified, you decided to stick your head in the sand and disable this entirely? Great work. I totally approve of this entirely uncommunicative process, first-class linux distroing right here.

The PGP signatures used to work, until they got mysteriously dropped during pkgver=1.2_rc2 which got built from git (and required an epoch to recover from). Did we really drop signatures just because someone was too busy to package a release candidate to even ask what was up with that key?
Comment by Robin Broda (coderobe) - Wednesday, 02 October 2019, 08:56 GMT
Dropping signatures when unavailable or invalid defeats the point of using signatures. Please refrain from doing this, for security's sake
Comment by Alexander F. Rødseth (xyproto) - Monday, 07 October 2019, 09:56 GMT
Eli Schwartz, this has been communicated to upstream. I think you are communicating in a disrespectful manner.
Comment by Levente Polyak (anthraxx) - Monday, 07 October 2019, 10:05 GMT
When and where has it been communicated. Because when i dropped him a mail some days ago he responded in 1h and was very much surprised it is invalid including the analysis on the tracker.
I tried to resist answering, but as i'm answering anyway:
It is a absolute no go without excuse to drop signatures and proceed when a signature doesn't apply, that's literally the worst thing that could happen. It is technically detected that there is a verification issue with the authenticity then it must be properly resolved, otherwise its not different to clicking 'Suppress and continue" on a popup that tells you "This piece of software is not what the author expects it to be, it may be malicious". I am frankly very much frustrated to see gpg handling like this happening
Comment by Alexander F. Rødseth (xyproto) - Monday, 07 October 2019, 10:17 GMT
Jaroslav Lichtblau, did you get a response when contacting Sway upstream about this?

Loading...