[Slackbuilds-users] [hplip-plugin] updated without my say-so, by someone who used my name and email.
Lumin Etherlight
lumin+slackbuilds at etherlight.link
Fri May 15 22:35:40 UTC 2026
Arnaud via SlackBuilds-users
<slackbuilds-users at slackbuilds.org> writes:
> I am thinking about what could be done to
> our repository, changing a URL there under the
> pretense that its more stable, but is pointing to
> a modified version with security breaches. And
> all we'll see is that the official maintainer
> proposed the change and it was approved.
>
> Maybe there could be a group effort toward a
> few modernizations, a bit more security, a better
> submission process ?
I agree. If anyone can publish an update in
my name, which may include "supply-chain" attacks,
against other Slackware users, then I'd be really
weary of having my name on SlackBuilds, lest I get
falsely accused of doing the attacks myself.
Cryptographic signatures by the private keys
of the maintainer is the usual mitigation in other
projects as far as I know. If a developer adopts
a package, then their key is marked as the only
one allowed to push updates to said package. If
an admin needs to modify the uploaded update, then
the administrator's signature has to be on that
update instead.
I wonder if current SlackBuild.org policy
allows individual maintainers to sign their own
updates, by optionally including a signature file
in their upload, which gets published to the end
users just like any file in the SlackBuild. Users
who want to be extra cautious can then validate it
to make sure nothing weird is happening. Would my
updates be rejected if I do so?
At minimum, we need email confirmation sent
to the maintainers' address when they make uploads
so that their identity is slightly confirmed.
Simpler solutions are welcome,
if anyone has any :-)
Best Regard,
Lumin Etherlight
More information about the SlackBuilds-users
mailing list