sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] rombert commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring
Date Fri, 19 Oct 2018 14:00:17 GMT
rombert commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in
keyring
URL: https://github.com/apache/sling-tooling-release/pull/2#issuecomment-431372901
 
 
   The worst-case scenario I'm thinking of is the following:
   
   1. PMC member "Alice" goes on vacation.
   2. Malicious actor "Charlie" creates a GPG key and pushes it to the keyserver, using Alice's
email
   3. Charlie breaks into Alice's Nexus account and uploads a malicious release
   4. Charlie forges an email coming from Alice and starts a vote on the dev list with the
malicious release
   5. PMC members vote +1 on the release and the key is automatically accepted
   
   ----
   
   Granted, it's a pretty convoluted scenario but it only needs one weakness - the Nexus account
credentials from a PMC member. Not automatically importing GPG keys would add a second layer.
   
   It might be that I'm overthinking this and that this is not a really big issue :-)
   
   But I fully agree that at least displaying the error message from GPG would be a great
improvement.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message