[Varnish] #906: Varnish 2.1.x packages for el5 are not signed

Varnish varnish-bugs at varnish-cache.org
Tue Apr 19 00:17:20 CEST 2011

#906: Varnish 2.1.x packages for el5 are not signed
 Reporter:  maxp              |        Type:  defect
   Status:  new               |    Priority:  high  
Milestone:                    |   Component:  build 
  Version:  trunk             |    Severity:  major 
 Keywords:  gpg rpm security  |  
 Of the packages available at http://repo.varnish-
 cache.org/redhat/varnish-2.1/el5/ none are signed with a gpg key.

 Signing packages with a gpg key is an easy and effective way to prevent
 malicious parties from subverting your packages for the distribution of
 malware. Without signed packages repo.varnish-cache.org/redhat/ is worse
 than useless for the distribution of packages for production, it is in
 fact a gaping security hole.

 This issue of broken key verification was previously broached here:

 The apparent 'solution' of removing GPG verification is apparent based on
 the difference between:

 Wherein a GPG key is no longer distributed and gpgcheck is set to 0 (where
 it previously was 1) in the varnish-2.1.repo definition.

 I have checked out the latest revision of the only apparent repository on
 git.varnish-cache.org and cannot find any script which defines the
 behavior of your rpm building system and thus cannot submit a patch.

Ticket URL: <http://varnish-cache.org/trac/ticket/906>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list