Scott Kitterman <deb...@kitterman.com> writes: > Today I can download any source package in the archive and verify who > uploaded the package and is responsible for its contents. It doesn't > matter if I download it from the main archive or a mirror. Personally, > I think that's an important characteristic of our package archive, which > is lost by tag2upload.
The same *information* is there, provided that the tag2upload metadata is trustworthy, but it is not trivial to verify that tag2upload did its part of the job properly. You can trace the package back to tag2upload and you can see who tag2upload asserted uploaded the package, and you can then retrieve that signed Git tag and verify it, but in order to establish the last missing link, you would have to redo the work that tag2upload did to assemble the source package to check that it was done properly. I think this is less of a regression than it looks like, though. The very important piece that I think a lot of people have been missing when looking at the overall system is that they assume that the maintainer who signed the source package in the archive verified that the contents of the source package was correct. I am fairly certain that this is not true in nearly every case. The maintainer verified that the source *tree* that they were operating on was correct, and then ran some source package build process locally on their system and blindly signed the results. If their local system were compromised in a way that injected malicious code into the constructed source package, I highly doubt nearly any maintainer would detect that as part of their normal upload workflow. In other words, my contention is that we have never been able to properly verify that the source package construction was done properly. Right now, we are completely trusting everything that happens on the maintainer's system, based on the maintainer's signature. This is the weakest point of our security model. Some amount of that is unavoidable, since we have no other way to handle the actual signing part. But we can get more assurance that the source package construction was done properly than that; we don't have to trust that the uploader's local system did it properly (at least in the not-universal case of packages well-served by the tag2upload protocol). -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
