Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.vote > #4549

Re: Security review of tag2upload

From Russ Allbery <rra@debian.org>
Newsgroups linux.debian.vote
Subject Re: Security review of tag2upload
Date 2024-06-16 08:50 +0200
Message-ID <IPRS9-3hIr-1@gated-at.bofh.it> (permalink)
References <IOl7X-2gWq-1@gated-at.bofh.it> <IPOrf-3fLN-1@gated-at.bofh.it>
Organization The Eyrie

Show all headers | View raw

Scott Kitterman <debian@kitterman.com> writes:

> I appreciate the thought and effort that went into this review.

> If I'm following your description correctly, the tag2upload "package" flow is:

> developer --> salsa --> tag2upload --> ftp.upload.debian.org
> machine                                               --> dgit-repos

> Is that right?

Yes, I think so.

> While it may not matter from a post attack detection security trace
> perspective, I think there are more routine trace activities that this
> complicates.  A couple of examples are the signed by listing in the
> tracker.d.o news section for packages and who-uploads from devscripts.

> While making package signing information less visible isn't directly a
> security issue, it does seem like a complication that makes it harder to
> keep up with what's going on.

> Would you consider these kind of indirect effects relevant from a
> security analysis perspective or are they just non-security concerns
> from your POV?

I made the assumption that, if tag2upload were deployed, those tools would
be modified to pick up the signer information from the *.changes fields
where tag2upload puts it.  That metadata is put into both the *.dsc and
the *.changes files.

As with the other parts of this proposed design, that does require
trusting tag2upload to do the authentication check properly, so a
compromised tag2upload server could write erroneous trace information and
therefore would not be detected by either of those tools.

A tag2upload server compromise is fairly serious.  A compromise of any of
tag2upload, dak, or the buildds have roughly equally serious potential
impact on the archive as far as I can tell, although the details differ.
In all three cases, you need reproducible builds to reliably detect the
compromise, although in the tag2upload case you only need reproducible
source builds for the specific set of source transformations that
tag2upload is willing to perform, which I believe is a much easier problem
than the reproducible binary builds required to detect buildd or dak
compromises.  dak, uniquely, can meddle with either source *or* binary
packages, but dak meddling with source packages will break the signatures
on those packages, so is somewhat easier to detect than dak meddling with
binary packages.

(This is assuming I'm not missing some security control in dak, which is
entirely possible because I've not done a comprehensive security review of
dak and am not certain of all the details of the architecture.  If I'm
missing something, please do correct me!)

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Back to linux.debian.vote | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-12 03:40 +0200
  Re: Security review of tag2upload Antoine Beaupré <anarcat@debian.org> - 2024-06-12 19:20 +0200
    Re: Security review of tag2upload Simon McVittie <smcv@debian.org> - 2024-06-12 20:00 +0200
      Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-12 21:50 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-12 20:30 +0200
  Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-13 16:00 +0200
    Re: Security review of tag2upload Simon Richter <sjr@debian.org> - 2024-06-13 16:10 +0200
      Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-13 17:00 +0200
    Re: Security review of tag2upload Marco d'Itri <md@Linux.IT> - 2024-06-13 18:40 +0200
      Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-13 20:00 +0200
        Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-13 23:00 +0200
          Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:40 +0200
            Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-16 23:30 +0200
              Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-24 20:30 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-13 21:00 +0200
      Re: Security review of tag2upload [transfer.fsckObjects] Simon Josefsson <simon@josefsson.org> - 2024-06-14 00:00 +0200
        Re: Security review of tag2upload [transfer.fsckObjects] Russ Allbery <rra@debian.org> - 2024-06-14 00:50 +0200
          Re: Security review of tag2upload [transfer.fsckObjects] Russ Allbery <rra@debian.org> - 2024-06-14 01:00 +0200
  Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 05:10 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 08:50 +0200
      Re: Security review of tag2upload Gunnar Wolf <gwolf@debian.org> - 2024-06-16 09:00 +0200
      Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 12:50 +0200
        Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:10 +0200
          Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 18:20 +0200
            Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:50 +0200
              Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 19:10 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 20:30 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 21:20 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-16 22:00 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 22:10 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-17 06:40 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 07:30 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-17 07:50 +0200
                Re: Security review of tag2upload Louis-Philippe Véronneau <pollo@debian.org> - 2024-06-17 07:50 +0200
                Re: Security review of tag2upload Louis-Philippe Véronneau <pollo@debian.org> - 2024-06-17 08:20 +0200
                Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-17 08:20 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-17 09:40 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 17:40 +0200
                Re: Security review of tag2upload Aigars Mahinovs <aigarius@debian.org> - 2024-06-17 12:50 +0200
              Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-17 11:00 +0200
                Re: Security review of tag2upload Brian May <bam@debian.org> - 2024-06-17 12:40 +0200
                Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-17 13:30 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-17 13:30 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 17:30 +0200
              Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-17 13:40 +0200
            Re: Security review of tag2upload Stefano Rivera <stefanor@debian.org> - 2024-06-16 19:30 +0200
          Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-17 13:30 +0200
  Re: Security review of tag2upload HW42 <hw42@ipsumj.de> - 2024-06-25 01:10 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-25 02:10 +0200
      Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-25 03:40 +0200
        Re: Security review of tag2upload Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-26 09:30 +0200
          Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-26 09:50 +0200
            Re: Security review of tag2upload Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-26 10:40 +0200
              Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-26 12:40 +0200
    Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 11:30 +0200
    Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 12:10 +0200

csiph-web