On 17.06.24 10:51, Simon Josefsson wrote:
Successfully attacking ALL individual developers, with each own individual security weaknesses, seems to me more costly than attacking a single known publicly run instance like tag2upload or Salsa.
The thing is, you don't need to hack ALL of them to succeed. You only need one – the one with the worst security-to-usefulness (to the attacker) ratio, as XZ amply demonstrated. At that point it's game over.
Also, we can audit t2u if we decide to. We can write a second implementation, in a different language and using a different container runtime for running dgit, and verify that the output is the same. Or we can implement the task in dak directly.
We can harden the container. Heck we can even use a separate computer if we decide that VMs aren't good enough, do a hard reboot between packages, and use dm-verity to ensure that its disk isn't tampered with, but that's way beyond what our buildds are doing so probably overkill.
We cannot audit (not as easily anyway) source packages that get built on some DD's laptop.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
