Russ Allbery writes ("Re: Security review of tag2upload"):
> I think it would be hugely valuable to have something like a "dgit
> verification mode" where you can ask dgit, which already has all the
> source package construction logic, to take a tag2uplod-generated source
> package, start from the tag object and signature, and reproduce that
> source package and verify it. Except for the retrieval of the signed Git
> tag, in theory all of that could be done locally. I'm not sure how hard
> that would be (this comes back to the question of how difficult it is to
> ensure that the tag2upload source construction algorithm is easily
> reproducible), but I think something like that would go a long way towards
> providing some really interesting security properties.
I think doing a fairly good job of this is a fairly simple shell
script.
1. Check out the maintainer view git tag
(DEP-14, signed by the maintainer).
Run dgit quilt-fixup with an appropriate --quilt= option
(this is the mode that does only the git canonicalisation).
If you want to do this automatically you need to read the quilt
mode out of the maintainer tag, by parsing the tag2upload metadata.
2. Run dgit import-dsc on the allegedly-corresponding .dsc
from the tag2upload service.
The results of (1) and (2) should be treesame. This ought to be very
stable, because the precise correspondence between the various git
views and .dsc contents is part of dgit's data model.
You can try this out right now with dgit-repos, since `dgit push` is
supposed to have basically the same properties.
That isn't bit-for-bit reproducibility of the whole .dsc. I think in
practice the output of `dgit build-source` may well already be
bit-for-bit reproducible (assuming identical versions of all the
programs involved ioncluding gbp, quilt, git, patch, dpkg-source,
etc. etc. etc.), but I haven't tested this.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
