>>>>> "Russ" == Russ Allbery <r...@debian.org> writes:
Russ> The attack that Simon is talking about doesn't require a
Russ> preimage attack, only a successful collision attack against
Russ> Git trees using SHAttered plus some assumptions about where
Russ> Git may be lazy about revalidating hashes. It's an
Russ> interesting point that I didn't think of, although I'm not
Russ> sure that it would work against GitLab and thus against Salsa
Russ> and I think it's fairly trivial to protect against regardless.
Russ, I'm trying and failing to find time to write a long response to
your security review.
But I'm going to try to make this point because I think it is relevant
and because it came up a number of times when I'm thinking about your
analysis.
You talk a number of times about whether an attack is possible against
salsa. But especially when thinking about detection and tracing, I
think that things that are verified by signatures made with keys not
held by the system in question are harder to modify than things that can
be verified only so long as a system remains trusted.
One of the things that I found striking in the xz-utils attack was how
two different systems (the release tarballs) and git archives might have
been exploited to hide an attack. If people looked at git and not the
archive, they might conclude there was no attack, even if they had been
alerted that there might be a problem.
Which is to say, especially in the moment when considering an incident,
people are very bad about reasoning about whether views of a system are
equivalent.
So, I consider the following to be useful to an attacker--to be threats
worth mitigating:
1) Attacker uploads malicious code to the archive.
2) Attacker possibly through a compromise of the dgit server and salsa
changes the git view to be something harmless.
Such an attack can be detected by regularly verifying the archive
contents against git versions.
I do not have confidence that verification will hapen.
At least in my experience if I have a choice between git and unpacking a
dsc, I'll take git almost all the time.
I realize there are DDs who prefer the dsc.
Still, my initial read of your analysis is that you discount attacks
like this more than makes sense to me.
I also believe that hash collisions may make attacks like the above more
possible.
My strong suspicion is that even if the classes of attack I am thinking
about are given the consideration I think they need, tag2upload will
still be reasonable from a security architecture standpoint.
signature.asc
Description: PGP signature
