Russ Allbery: > Below is the security review that I did of the tag2upload design. > [...] > The existing upload architecture requires trusting the host used by the > uploader to build the source package. If that host is compromised, an > attacker could inject malicious code into the source package, either by > modifying the upstream tar file (if signed upstream tar files are not > used) or by injecting it into the Debian package build system, maintainer > scripts, or patches. > > This attack is not equivalent to compromise of the uploader's OpenPGP key, > which neither upload architecture defends against. Many Debian uploaders > build source packages on less-trusted systems where they also build and > test binary packages, and then sign the source package from a more-trusted > system or use a hardware key.
Is this really common practice that Debian uploaders sign (source) packages they built on less-trusted systems? And, if yes: Why wouldn't they do the equivalent with the sources in git (work on the less trusted system, transfer commits (git push/pull) to the system with signing access and sign there, without review)?
OpenPGP_signature.asc
Description: OpenPGP digital signature
