Brian May <b...@debian.org> writes: > Simon Josefsson <si...@josefsson.org> writes: > >> Successfully attacking ALL individual developers, with each own >> individual security weaknesses, seems to me more costly than attacking a >> single known publicly run instance like tag2upload or Salsa. > > You only need to be able to sucessfully attack *one* developer in order > to cause significant damage. > > The more popular that developers packages are, the more damage you can > do. > > So the developer with the weakest security practises and most popular > packages is probably a prime candidate.
Agreed. That is already the case, and tag2upload won't change this. I was talking about comparing the tag2upload design with the current design (Russ's claim "tag2upload makes this story somewhat better). I don't think it is a good claim to say that tag2upload will be a security improvement because "the central server is more secure" than the weakest developer machine. To compare apples with apples, from the attacker point of view, you would have to claim that "the central server is more secure" than ALL developers. Otherwise you aren't comparing the same attacker ability after successful attack. I don't think it is reasonable to claim that the central tag2upload server will be more secure than ALL developer machines. I believe it would be more honest to admit that tag2upload will lower the security story for package uploads, and argue that it is still the right thing to do for other reasons. Generally, I think the only way to improve security of a system is to REMOVE functionality, never by adding more new complex functionality. I don't see anyone suggesting we will remove any functionality here. More security audits of tag2upload are great, and will improve confidence in it, but claiming that tag2upload will improve overall security of Debian seems like overstating what it delivers. /Simon
signature.asc
Description: PGP signature
