diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-04-01 14:56:36 -0400 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-04-01 14:56:36 -0400 |
commit | b303c731387107a9f2755275dedcc685bfc8c030 (patch) | |
tree | 931170f7934e6b9a71ba6916b6ea7ae67e76be65 | |
parent | cb55769aa192731d819b306d3d3904ba443d22dd (diff) | |
download | korg-helpers-b303c731387107a9f2755275dedcc685bfc8c030.tar.gz |
Copy admonition from the commit
Make sure the admonition about not relying too much on sig-prover is
plainly visible.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rwxr-xr-x | sig-prover.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sig-prover.py b/sig-prover.py index 6d2d79b..74c3c44 100755 --- a/sig-prover.py +++ b/sig-prover.py @@ -6,6 +6,20 @@ # The script it supposed to be fire-and-forget, running in a screen session or as a # systemd service, with reports sent to admin@kernel.org. # +# CAUTION: +# This script is not a guaranteed mechanism to detect intrusion -- an +# attacker can defeat it by analyzing access patterns/IPs and serving +# different content when it suspects that someone is running an automated +# signature verification check. The script can probably be improved by +# adding random delays between retrieving the tarball and the detached +# signature, setting a referrer value, etc. However, even with added +# measures, it will always act fairly predictably, so there will always +# remain a way to defeat it. +# +# If you download tarballs from kernel.org for any purpose, you should +# always run your own verification on each downloaded file. +# https://www.kernel.org/signature.html +# # SPDX-License-Identifier: GPL-2.0-or-later # # -*- coding: utf-8 -*- |