On Wed, 12 Jun 2024 at 15:20, Jonas Smedegaard <jo...@jones.dk> wrote:
>
> Quoting Luca Boccassi (2024-06-12 15:27:36)
> > On Wed, 12 Jun 2024 at 14:15, Jonas Smedegaard <jo...@jones.dk> wrote:
> > > You apparently find it equally sensible, specifically as a security
> > > measure, a) apply ACLs on an otherwise massively multi-user-write-access
> > > host and b) use a separate far-less-featured host.
> > >
> > > You claim that both setups have equal vulnerabilities.
> >
> > No, I claim they have different sets of vulnerabilities, disadvantages
> > and advantages, and that both can provide the required feature:
> > disallow force pushes/deleting tags. The hardest thing with security
> > is that it requires a constant, ongoing effort, that will never end,
> > and will only get harder. A widely used software like Gitlab is better
> > for this, as is a widely used kernel like Linux. Or are you suggesting
> > such a server should run on Hurd, given it's far-less-featured and
> > thus has a much smaller attack surface than Linux?
>
> No, I am not suggesting the use of the Hurd here, and I am having a hard
> time assuming good faith with the potential undertones of that question.
>
> To answer your convoluted question, I am suggesting that Salsa and
> tag2upload has very different needs (multi-user write versus multi-user
> append-only, drastically simplified), and consequently to not argue that
> reuse of Salsa for hosting tag2upload is a security benefit.

The argument is about attack surface, number of features, size of code
base, auditability, etc. If you make that argument about the git stack
running on a server, then the same argument applies for every other
component in the same server that interact in any way with the
payload(s) - kernel, libc, compilers, etc. Otherwise you are just
cherrypicking what is convenient, and ignoring what is not. If Gitlab
can't be used in a security-relevant component because it's too big to
audit, then so are the Linux kernel and GCC.

My argument is that having a single system is beneficial for
maintenance costs (fewer platforms, fewer moving parts), for security
(components in widespread usage with heavy commercial backing spending
the big $$$$ to ensure it's not completely borken), and for
rationalizing and avoiding duplication.

Reply via email to