On July 10, 2019 8:10:40 AM UTC, Sean Whitton <spwhit...@spwhitton.name> wrote:
>Hello,
>
>Over the weekend, Ian Jackson and I met in Cambridge, U.K. to work on
>the design and implementation of tools and processes relating to git &
>Debian packaging.
>
>Main achievement
>----------------
>
>We designed and implemented a system to make it possible for DDs to
>upload new versions of packages by simply pushing a specially formatted
>git tag to salsa.
>
>Please see this blog post to learn about how it works:
>https://spwhitton.name/blog/entry/tag2upload/
>
>While the cloud service part of this system has not yet been deployed,
>and so you can't just tag to upload yet, the blog post explains how you
>can run the cloud service in an ad-hoc mode on your laptop, and thereby
>get a feel for how it works.
...
Thanks for the detailed explanation.
Has there been any analysis of the security implications of this proposed
service?
If I am understanding the description correctly, the transformation from git
tag (which is signed and can be verified) to a source package (which can be
signed and verified) will happen on an internet facing server (typically this
would happen on a local developer machine) and, unless there is additional
magic around key management that isn't described in the blog post, the private
key for a key the archive trusts would also be there.
It seems to me that there is potential for a significant new attack surface
that ought to be carefully assessed before this gets anywhere near wired up to
feed into the archive from any kind of 'cloud' service.
Scott K
