Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.vote > #4560

Re: Security review of tag2upload

From Russ Allbery <rra@debian.org>
Newsgroups linux.debian.vote
Subject Re: Security review of tag2upload
Date 2024-06-16 18:10 +0200
Message-ID <IQ0C5-3ntb-3@gated-at.bofh.it> (permalink)
References <IOl7X-2gWq-1@gated-at.bofh.it> <IPOrf-3fLN-1@gated-at.bofh.it> <IPRS9-3hIr-1@gated-at.bofh.it> <IPVCq-3jXI-7@gated-at.bofh.it>
Organization The Eyrie

Show all headers | View raw

Scott Kitterman <debian@kitterman.com> writes:

> Yes and no.  The difference is that currently, I can download the source
> package and verify it myself.  Not just who signed it and with what key,
> but that the signature verifies.  I don't need to trust assurances from
> any service.

No, that's not quite true.  You're still trusting assurances from the
uploader's system.  The uploader did not, in general, directly check the
artifact whose signature you're verifying; they, and you, are trusting
that the source package construction was done correctly from their working
tree.

There's been a lot of discussion of the implications of the xz backdoor
for source package construction, but one of the takeaways that I took from
it is to be even less sure of the security of the uploader systems that
are generating our source packages.  Imagine if xz had been backdoored to,
say, inject the installation of a malicious maintainer script into source
packages constructed on that system.  How long would it have been before
we noticed?  The malicious code would have been signed by the uploader and
all the signatures would verify without difficulty.

Certainly we would have noticed eventually.  Probably we would have
noticed before the next stable release.  But I'm not at all sure we would
have noticed before a lot of Debian uploader systems were backdoored and
potentially a lot of uploader keys were stolen depending on uploader key
storage practices.  And there are probably sneakier attacks that I haven't
thought of.

> From the perspective of Debian, the project, that's presumably not
> significant and can be accounted for by updating our tools.  From the
> perspective of some Debian users, I'm less certain of the significance.

I think it would be hugely valuable to have something like a "dgit
verification mode" where you can ask dgit, which already has all the
source package construction logic, to take a tag2uplod-generated source
package, start from the tag object and signature, and reproduce that
source package and verify it.  Except for the retrieval of the signed Git
tag, in theory all of that could be done locally.  I'm not sure how hard
that would be (this comes back to the question of how difficult it is to
ensure that the tag2upload source construction algorithm is easily
reproducible), but I think something like that would go a long way towards
providing some really interesting security properties.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Back to linux.debian.vote | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-12 03:40 +0200
  Re: Security review of tag2upload Antoine Beaupré <anarcat@debian.org> - 2024-06-12 19:20 +0200
    Re: Security review of tag2upload Simon McVittie <smcv@debian.org> - 2024-06-12 20:00 +0200
      Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-12 21:50 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-12 20:30 +0200
  Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-13 16:00 +0200
    Re: Security review of tag2upload Simon Richter <sjr@debian.org> - 2024-06-13 16:10 +0200
      Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-13 17:00 +0200
    Re: Security review of tag2upload Marco d'Itri <md@Linux.IT> - 2024-06-13 18:40 +0200
      Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-13 20:00 +0200
        Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-13 23:00 +0200
          Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:40 +0200
            Re: Security review of tag2upload Sam Hartman <hartmans@debian.org> - 2024-06-16 23:30 +0200
              Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-24 20:30 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-13 21:00 +0200
      Re: Security review of tag2upload [transfer.fsckObjects] Simon Josefsson <simon@josefsson.org> - 2024-06-14 00:00 +0200
        Re: Security review of tag2upload [transfer.fsckObjects] Russ Allbery <rra@debian.org> - 2024-06-14 00:50 +0200
          Re: Security review of tag2upload [transfer.fsckObjects] Russ Allbery <rra@debian.org> - 2024-06-14 01:00 +0200
  Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 05:10 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 08:50 +0200
      Re: Security review of tag2upload Gunnar Wolf <gwolf@debian.org> - 2024-06-16 09:00 +0200
      Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 12:50 +0200
        Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:10 +0200
          Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 18:20 +0200
            Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 18:50 +0200
              Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 19:10 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 20:30 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-16 21:20 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-16 22:00 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-16 22:10 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-17 06:40 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 07:30 +0200
                Re: Security review of tag2upload Scott Kitterman <debian@kitterman.com> - 2024-06-17 07:50 +0200
                Re: Security review of tag2upload Louis-Philippe Véronneau <pollo@debian.org> - 2024-06-17 07:50 +0200
                Re: Security review of tag2upload Louis-Philippe Véronneau <pollo@debian.org> - 2024-06-17 08:20 +0200
                Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-17 08:20 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-17 09:40 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 17:40 +0200
                Re: Security review of tag2upload Aigars Mahinovs <aigarius@debian.org> - 2024-06-17 12:50 +0200
              Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-17 11:00 +0200
                Re: Security review of tag2upload Brian May <bam@debian.org> - 2024-06-17 12:40 +0200
                Re: Security review of tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-17 13:30 +0200
                Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-17 13:30 +0200
                Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-17 17:30 +0200
              Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-17 13:40 +0200
            Re: Security review of tag2upload Stefano Rivera <stefanor@debian.org> - 2024-06-16 19:30 +0200
          Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-17 13:30 +0200
  Re: Security review of tag2upload HW42 <hw42@ipsumj.de> - 2024-06-25 01:10 +0200
    Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-25 02:10 +0200
      Re: Security review of tag2upload Russ Allbery <rra@debian.org> - 2024-06-25 03:40 +0200
        Re: Security review of tag2upload Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-26 09:30 +0200
          Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-26 09:50 +0200
            Re: Security review of tag2upload Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-26 10:40 +0200
              Re: Security review of tag2upload Jonas Smedegaard <jonas@jones.dk> - 2024-06-26 12:40 +0200
    Re: Security review of tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 11:30 +0200
    Re: Security review of tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 12:10 +0200

csiph-web