On 29/03/24 at 23:29 -0700, Russ Allbery wrote: > Antonio Russo <antonio.e.ru...@gmail.com> writes: > > But, I will definitely concede that, had I seen a commit that changed > > that line in the m4, there's a good chance my eyes would have glazed > > over it. > > This is why I am somewhat skeptical that forcing everything into Git > commits is as much of a benefit as people are hoping. This particular > attacker thought it was better to avoid the Git repository, so that is > evidence in support of that approach, and it's certainly more helpful, > once you know something bad has happened, to be able to use all the Git > tools to figure out exactly what happened. But I'm not sure we're fully > accounting for the fact that tags can be moved, branches can be > force-pushed, and if the Git repository is somewhere other than GitHub, > the malicious possibilities are even broader. > > We could narrow those possibilities somewhat by maintaining > Debian-controlled mirrors of upstream Git repositories so that we could > detect rewritten history. (There are a whole lot of reasons why I think > dgit is a superior model for archive management. One of them is that it > captures the full Git history of upstream at the point of the upload on > Debian-controlled infrastructure if the maintainer of the package bases it > on upstream's Git tree.)
I wonder if Software Heritage could help with that part? Lucas
