Hi Sean, hi all, On 12.07.19 09:00, Sean Whitton wrote: > On Fri 12 Jul 2019 at 04:30am +00, Scott Kitterman wrote: > >> Has there been any analysis of the security implications of this >> proposed service? > > Nothing formal, though of course we were thinking about it while we were > working on it. > >> If I am understanding the description correctly, the transformation >> from git tag (which is signed and can be verified) to a source package >> (which can be signed and verified) will happen on an internet facing >> server (typically this would happen on a local developer machine) and, >> unless there is additional magic around key management that isn't >> described in the blog post, the private key for a key the archive >> trusts would also be there. >> >> It seems to me that there is potential for a significant new attack >> surface that ought to be carefully assessed before this gets anywhere >> near wired up to feed into the archive from any kind of 'cloud' >> service. > > The current plan is for this machine to be firewalled such that it talks > only to salsa. For exactly the sort of reasons you describe, you won't > be able to use this with arbitrary git hosts. > > The only untrusted input is the git tags before their signature has been > verified against the Debian keyring. Maybe we could isolate fetching > and checking those tags from the part of the service which fetches the > whole git tree to produce a source package.
Nonetheless it seems to me you are moving from trusting local signing to trusting upload by salsa, thereby making salsa more attractive for attackers. Best wishes Michael
signature.asc
Description: OpenPGP digital signature
