On Wed, 12 Jun 2024 at 14:15, Jonas Smedegaard <jo...@jones.dk> wrote:
>
> Quoting Luca Boccassi (2024-06-12 14:55:13)
> > On Wed, 12 Jun 2024 at 13:47, Jonas Smedegaard <jo...@jones.dk> wrote:
>
> [...]
>
> > > > > Luca Boccassi writes ("Re: [RFC] General Resolution to deploy
> > > > > tag2upload"):
> > > > > > As far as I can tell, from what was shared in these documents, the
> > > > > > security feature needed is an append-only repository, with
> > > > > > safeguards
> > > > > > that an individual developer cannot bypass. As far as I can tell,
> > > > > > the
> > > > > > same setup can be achieved with repository ACLs, and it would have
> > > > > > the
> > > > > > same vulnerability: an admin with full access to the server can
> > > > > > bypass
> > > > > > such measures, in either case. Is there something else I am missing?
>
> [...]
>
> > > I read the analysis more that two systems is better than one thousand
> > > systems.
> > >
> > > I.e. centralizing (compared to building done on developers' systems)
> > > to a system that can be analyzed (which Gitlab is quite a challenge
> > > to do).
> >
> > "centralize the risk as much as possible" applies to both cases, as
> > does the justification for it. And again, Salsa is already part of the
> > solution, so this argument doesn't seem very strong to me.
>
> No, not centralizing as much as possible, only as much as sensible.
That's not what it says though. If you have an alternative security
review, please share it in its entirety, and it can be discussed.
> You apparently find it equally sensible, specifically as a security
> measure, a) apply ACLs on an otherwise massively multi-user-write-access
> host and b) use a separate far-less-featured host.
>
> You claim that both setups have equal vulnerabilities.
No, I claim they have different sets of vulnerabilities, disadvantages
and advantages, and that both can provide the required feature:
disallow force pushes/deleting tags. The hardest thing with security
is that it requires a constant, ongoing effort, that will never end,
and will only get harder. A widely used software like Gitlab is better
for this, as is a widely used kernel like Linux. Or are you suggesting
such a server should run on Hurd, given it's far-less-featured and
thus has a much smaller attack surface than Linux?
> I disagree. I think you are mistaken - and no, it is totally irrelevant
> for this accusation whether or not I am a fan of Salsa, and whether or
> not I represent a loud or silent minority or majority. This is not about
> me.
And I think it is very much relevant, given the obvious end goal of
some individuals is to kill Salsa, which this proposal - as it stands
- would facilitate.
