FS#66959 - [dbus] use signed release file

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Tuesday, 09 June 2020, 19:59 GMT
Last edited by Evangelos Foutras (foutrelis) - Tuesday, 14 July 2020, 23:00 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The dbus package currently downloads an unsigned git tag for building. This diff uses the signed release file and removes an old PGP key.
   dbus.diff (2.6 KiB)
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Tuesday, 14 July 2020, 23:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  Looks like this was implemented in /trunk on 2020-06-10.
Comment by loqs (loqs) - Tuesday, 09 June 2020, 20:49 GMT
The git tags are signed, so git could continue to be used but use the tag object for signed releases.
   PKGBUILD.diff (1.1 KiB)
Comment by T.J. Townsend (blakkheim) - Tuesday, 09 June 2020, 20:54 GMT
Signed git version would be fine with me too.
Comment by Jan Alexander Steffens (heftig) - Wednesday, 10 June 2020, 11:35 GMT
I'll change it to refer to the signed tag. It should be noted that (due to Git's object hash being the weak link) this isn't any safer than the way it currently works, which selects a commit by its full ID.

Signed tarballs are better in this regard (you get a signature over the entirety instead of a just a Merkle tree root) but I prefer tracking Git whenever possible. It eases patching, backports and reverts.
Comment by T.J. Townsend (blakkheim) - Wednesday, 10 June 2020, 15:47 GMT
Should security not be prioritized over convenience of patching?

Loading...