[linux-elitists] Rooted kernel.org hosts (was: PJ takes her victory lap)

Greg KH greg at kroah.com
Thu Sep 1 08:45:56 PDT 2011

On Wed, Aug 31, 2011 at 09:22:47PM -0700, Rick Moen wrote:
> Quoting Greg KH (greg at kroah.com):
> > As hera was the machine that was compromised, tarballs could be changed
> > and properly signed, so pgp signatures mean nothing here.
> Ah, I had assumed, apparently in error, that the private key +
> passphrase would be used for code-signing _only_ on a more carefully
> guarded machine, not on a shared host (which is what I gather hera to
> be).  That is typically how such things are done, specifically to render
> the signed tarballs insensitive to compromise of the public host.

The signing doesn't happen on the host itself, the tarballs are taken
from the host and then signed, so if you modify the tarball, then the
signature would be regenerated.  Well, I think so, you might have to
delete the old files first, and then add new ones to be signed again,
which would be a huge red flag, so I might be totally wrong here as I
don't really know how the signing logic happens other than from a
user-of-the-system point of view (i.e. put your files here and they will
be automatically signed and mirrored.)

> Yes, the git repo is naturally the reference for kernel developers.
> However, it would be excellent if tarball signing were, in future, done
> in such a way as to give more meaningful security assurance than just
> 'this mirror accurately reflects whatever the ftp master has'.
> (BTW, if you're busy on the forensics, by all means please don't let me
> waste any of your time.)

I'm not involved in that process at all, I'm merely one of the many
users of the system.  We have a _very_ good sysadmin in charge of the
whole thing.

greg k-h

More information about the linux-elitists mailing list