On 16.06.24 23:23, Philip Hands wrote:
Part of the problem space is to prevent another xz-style compromise where the tarball contained stuff not in git. So, probably yes.We seem to be very focused on how one might reproduce the source package, to make sure that it can be bit-for-bit generated from the signed tag, which is clearly a hard thing to do.Do we actually need to do that at all?
Would it not be sufficient to check that the resulting source package is a reasonable representation of the content pointed at by the signed tag.
Define "reasonable". Given the myriad of workflows that dgit supports, you'd have to re-run it.
Just to mention one data point, there's no reasonable way to automatically distinguish "they re-ran autoconf" from "they inserted a backdoor into src/Makefile.in". There are plenty others.
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
