[Varnish] #906: Varnish 2.1.x packages for el5 are not signed
Varnish
varnish-bugs at varnish-cache.org
Tue Apr 19 00:17:20 CEST 2011
#906: Varnish 2.1.x packages for el5 are not signed
------------------------------+---------------------------------------------
Reporter: maxp | Type: defect
Status: new | Priority: high
Milestone: | Component: build
Version: trunk | Severity: major
Keywords: gpg rpm security |
------------------------------+---------------------------------------------
Of the packages available at http://repo.varnish-
cache.org/redhat/varnish-2.1/el5/ none are signed with a gpg key.
Signing packages with a gpg key is an easy and effective way to prevent
malicious parties from subverting your packages for the distribution of
malware. Without signed packages repo.varnish-cache.org/redhat/ is worse
than useless for the distribution of packages for production, it is in
fact a gaping security hole.
This issue of broken key verification was previously broached here:
http://www.varnish-cache.org/trac/ticket/810
The apparent 'solution' of removing GPG verification is apparent based on
the difference between:
http://repo.varnish-cache.org/redhat/el5/noarch/varnish-
release-2.1-2.noarch.rpm
and
http://repo.varnish-cache.org/redhat/el5/noarch/varnish-
release-2.1-1.noarch.rpm
Wherein a GPG key is no longer distributed and gpgcheck is set to 0 (where
it previously was 1) in the varnish-2.1.repo definition.
I have checked out the latest revision of the only apparent repository on
git.varnish-cache.org and cannot find any script which defines the
behavior of your rpm building system and thus cannot submit a patch.
--
Ticket URL: <http://varnish-cache.org/trac/ticket/906>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list