Luca Boccassi <bl...@debian.org> writes: > On Wed, 12 Jun 2024 at 17:46, Russ Allbery <r...@debian.org> wrote:
>> I'm not sure that I understand what you're saying here, but if I did >> understand this correctly, no, this is not correct. My security review >> says the exact opposite of this: admin access to Salsa does not allow >> you to bypass the tag2upload checks or upload a source package. > Probably "push commits anyway" was a wrong oversimplification, what I > was referring to was all the various "someone with admin access on > Salsa" mentions on the document you shared. Hm, I think you're referring to this section? | - Administrative access to Salsa would make SHA-1 collision attacks | easier, as discussed below. However, this still assumes the attacker | is able to create Git trees with colliding hash digests. | | - Security vulnerabilities in the Git client used by the tag2upload | source package construction sandbox could be exploited by a malicious | Salsa Git server to compromise the VM and introduce malicious code | into the source package it constructs. Since a malicious Git server | could similarly be used to compromise the systems of the numerous | Debian contributors who use Salsa via Git clients regularly, I don't | believe this introduces substantial new risk, but it does create a new | avenue of attack that is possibly less likely to be detected. I think those are the only two places where administrative access to Salsa helps attack tag2upload specifically. Those are the two that I mentioned in the security review. Administrative access to Salsa could be abused to do other things earlier in the workflow unrelated to tag2upload, although a lot of them would be easily detected by anyone with an existing Git checkout once they tried to update it because they would require force pushes. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>