Bart Martens <ba...@debian.org> writes: > On Wed, Jun 12, 2024 at 06:25:02AM +0800, Sean Whitton wrote:
>> BEGIN FORMAL RESOLUTION TEXT >> >> tag2upload allows DDs and DMs to upload simply by using the >> git-debpush(1) script to push a signed git tag. > Question. Does the tag signer need to trust the remote vcs and its > admins at the moment of tag signing? With a .changes file the signer has > full local control: local source code inspection, local checksums > generation, and local signing. I wonder how tag2upload would offer this > level of control without lowering the value of the signatures. The Git tag signature is over your local Git repository. It's like most other Git objects: it's operating on your local copy of the repository. If the remote side changes, your tag will not reference the new Git tree on the remote side. It will still reference the exact Git tree that you signed. (Modulo successful SHA-1 collision attacks, of course.) Now, that doesn't mean that the reviewer necessary uses that property correctly. If you git clone the repository, review it, and then sign your local copy based on that review, you have reasonable assurance that the tag is on exactly the thing that you reviewed. If you review the repository on Salsa via the web interface, and *then* git clone it and sign it, you have created a window where you could have lost a race and be signing something different than you had thought. Or if Salsa was compromised, it could have been lying to you about the contents of the Git tree, etc. However, I don't think this is a new issue with tag2upload. Exactly the same caveat applies to the existing upload mechanism: if you review the code on Salsa and then git clone it and build a source package for uploading without checking the contents of the git clone separately, there is exactly the same window of vulnerability. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
