On Tuesday, June 11, 2024 9:39:04 PM EDT Russ Allbery wrote: > Hi all, > > Below is the security review that I did of the tag2upload design. > > I am not a neutral party, in the sense that I think tag2upload is a good > idea and should be deployed. However, I do these types of security > reviews professionally, and I tried to approach this review the same way > that I would approach a major work project that needed a security review > to ensure we weren't deploying something with security issues. I > encourage any Debian community member with security expertise to check my > work; with security reviews, the more eyes, the better. > > I will also post this review on my web site, probably later tonight if I > have time.
I appreciate the thought and effort that went into this review. If I'm following your description correctly, the tag2upload "package" flow is: developer --> salsa --> tag2upload --> ftp.upload.debian.org machine --> dgit-repos Is that right? While it may not matter from a post attack detection security trace perspective, I think there are more routine trace activities that this complicates. A couple of examples are the signed by listing in the tracker.d.o news section for packages and who-uploads from devscripts. While making package signing information less visible isn't directly a security issue, it does seem like a complication that makes it harder to keep up with what's going on. Would you consider these kind of indirect effects relevant from a security analysis perspective or are they just non-security concerns from your POV? Scott K
signature.asc
Description: This is a digitally signed message part.
