On 17.06.24 00:04, Joerg Jaspert wrote:
While that's true as a matter of principle, the *discoverability* of an attacker's modification is far higher when using tag2upload.Well, if the maintainers system is broken in, it makes no difference if a git tag or a dsc or whatever else is signed. It all can end upmodified by the attacker.
A signed git tag doesn't merely track a set of files; it also tracks their history. You can thus go to Salsa and verify that e.g. the emergency NMU that I pushed to $Package yesterday only contains one commit on top of the maintainer's and changes only one file (OK two if we consider d/changelog).
Or, I can scan my package's git history (which I frequently do) and notice the spurious change to src/util/securitycheck.c in there.
While in principle it's possible to do the same thing by downloading two sets of $Package-*.debian.tar.gz files from archive.d.o, unpacking them, and running "diff -r", that's two orders of magnitude more work, might require deciphering cryptic diff-of-diffs gibberish, doesn't work too well between upstream versions, and doesn't have a nice webpage I can link to in my NMU bug … all of which means that nobody's going to do it, much less notice said spurious change by accident.
Thus a source upload means that, compared with t2u, it's definitely more likely that the backdoor which $BadPerson inserted into my release when they hacked my machine will go undetected. IMHO, a whole lot more. YMMV and all that.
The t2u output, in turn, can easily be verified. Clone the tag, run dgit, check that it's tree-same as the artifacts that the "real" tag2upload service generated.
-- -- regards-- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
