From: eli-schwartz <eli-schwartz@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [RFC/POC] Support checks for signify signature inside xbps-src
Date: Tue, 02 Feb 2021 20:04:38 +0100 [thread overview]
Message-ID: <20210202190438.0fLXqxZUwfqe25K4_tOQ7pY0YhLGoxc61uT7MKKK4g8@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-28400@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 792 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/pull/28400#issuecomment-771896892
Comment:
As a developer for a Linux distribution, you'll have to ask yourself how confident you are that that is what ACTUALLY happened, rather than a malicious attacker breaking into e.g. github and hijacking lines of communication.
Your proposed case is a sob story, not a cryptographic proof...
Assuming you do decide to believe that story, and re-bootstrap your Trust On First Use relationship with upstream, the fact that that happened is visible in the git commit history for the package, so that people are aware that yes, something changed.
For the record, people don't generally "just lose" their cryptographic security tokens like that.
next prev parent reply other threads:[~2021-02-02 19:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 2:37 [PR PATCH] " ericonr
2021-02-02 2:48 ` [PR PATCH] [Updated] " ericonr
2021-02-02 3:53 ` eli-schwartz
2021-02-02 18:42 ` Chocimier
2021-02-02 18:45 ` eli-schwartz
2021-02-02 18:48 ` Chocimier
2021-02-02 18:50 ` ericonr
2021-02-02 18:52 ` Chocimier
2021-02-02 18:53 ` Chocimier
2021-02-02 19:04 ` eli-schwartz [this message]
2021-02-02 19:05 ` ericonr
2021-02-02 20:04 ` Chocimier
2021-02-02 20:29 ` eli-schwartz
2021-02-02 20:55 ` Chocimier
2021-02-03 15:14 ` [PR PATCH] [Updated] " ericonr
2022-05-03 2:14 ` github-actions
2022-05-17 2:14 ` [PR PATCH] [Closed]: " github-actions
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210202190438.0fLXqxZUwfqe25K4_tOQ7pY0YhLGoxc61uT7MKKK4g8@z \
--to=eli-schwartz@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).