On 21.06.24 17:14, Ansgar 🙀 wrote:
And that will remain the case: even with tag2upload the maintainer will sign some data that was generated and signed on a random machine with random and possibly-malevolent software that could have silently replaced any file it wanted to...
The keyword here is "silently", which is rather difficult and requires a deeply-compromised copy of git itself, with a heap of intrusive changes. The reason is that the attacker needs to permanently hide the fact that the commit history includes a change that they don't want me to find. Modifying only the version pushed to the archive doesn't work, I'd notice when I push again, or even when I next run "git status" (so in fact pretty much immediately).
I don't doubt that there are people out there who are capable of doing that but it's definitely *much* more difficult than subverting a source builder, even without compromising tar itself: simply wait for it to start, quickly replace a file with a compromised version / add to d/patch / whatever, wait for the builder to finish, undo your exploit. Done.
And people don't work on the tree actually uploaded to the archive
They do work on (and examine the history of)Â the tree they clone from Salsa, and you can machine-verify that that's the same as the tagged tree on dgit.d.o.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
