Groups | Search | Server Info | Login | Register
Groups > linux.debian.vote > #4802
| From | Aigars Mahinovs <aigarius@gmail.com> |
|---|---|
| Newsgroups | linux.debian.vote |
| Subject | Re: Summary of the current state of the tag2upload discussion |
| Date | 2024-06-24 21:50 +0200 |
| Message-ID | <ISXRn-5iUa-5@gated-at.bofh.it> (permalink) |
| References | (3 earlier) <ISy6B-50Wi-1@gated-at.bofh.it> <ISTb3-5fa1-1@gated-at.bofh.it> <ISTXr-5fL4-9@gated-at.bofh.it> <ISWLD-5iau-11@gated-at.bofh.it> <ISXeF-5iCQ-3@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
It's pretty simple. Compromise the computer of one developer, the one they use for development. Have your code be in one of the tools being called during Debian source package build (you don't even need root, just writable element in PATH). Now you can inject a malicious payload directly into the tarball or debian diff of the target Debian source package. The developer will never see it in their code. It will arrive in the archive signed by the victim as part of normal delivery. There will be nothing suspicious about it unless someone else does a NMU and sees a bigger than expected debdiff. Even if the developer is very security minded and maintains a separate air-gapped signing laptop, that doesn't help unless you first actually analyse the actual artifact that you are signing. Maybe it would even possible to trick the developer into to signing an upload of a different package (add a binary package with high version to their source package?). With tag2upload there is no obscured source package file to be signed, so all content going into the archive must already be visible in the git repo being signed and will also be visible in the dgit repo. Any difference to the upstream will be quite obvious in either case. That is the difference between signing something that no human will ever be reading and singing the actual source that everyone will be looking at. And that is the difference between needing to secure just one service (tag2upload) instead of securing a thousand work PCs of all DDs. And we do this already for build machines. If one would want to sneak stuff into Debian, hacking a buildd would be the best target - you are putting hacked binaries into end user machines without leaving traces in source packages or repos. An attack on upstream where a release tarball is different form upstream git tree would also be side-stepped by the Debian maintainer simply using only the git tree as upstream and completely ignoring the tarballs. It would not provide a solution for code hidden in the upstream git itself that the maintainer missed. On Mon, 24 Jun 2024, 22:03 Scott Kitterman, <debian@kitterman.com> wrote: > Do you have any examples of problems that this would have avoided > (xz-utils isn't one - due to the way it's releases are done, it wouldn't be > suitable for tag2upload)? > > Scott K > > On June 24, 2024 6:36:59 PM UTC, Aigars Mahinovs <aigarius@gmail.com> > wrote: > >Signing something that you did not write and something that you don't read > >is a bad security practice that exposes you to various attacks. > > > >Just because we have been doing this poor security practice for a long > time > >does not make it better. Now better methods are possible and we shouldn't > >prevent them from being used just because we are used to the weaker > >approach. > > > >On Mon, 24 Jun 2024, 18:34 Scott Kitterman, <debian@kitterman.com> wrote: > > > >> > >> None of that changes the fact that it's what they signed. Historically, > >> the project has found that useful and I think it still is. > >
Back to linux.debian.vote | Previous | Next — Previous in thread | Next in thread | Find similar
Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-22 00:30 +0200
Re: Summary of the current state of the tag2upload discussion Soren Stoutner <soren@debian.org> - 2024-06-22 07:40 +0200
Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-22 15:50 +0200
Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-22 15:40 +0200
Re: Summary of the current state of the tag2upload discussion Micha Lenk <micha@debian.org> - 2024-06-22 22:20 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 04:50 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-23 10:40 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 16:50 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 17:30 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 17:50 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 18:20 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 20:00 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 20:50 +0200
Re: Summary of the current state of the tag2upload discussion Mathias Behrle <mbehrle@debian.org> - 2024-06-23 20:50 +0200
Re: Summary of the current state of the tag2upload discussion Marco d'Itri <md@Linux.IT> - 2024-06-24 03:30 +0200
Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-24 10:20 +0200
Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 16:50 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 17:40 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-24 19:10 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 09:10 +0200
Re: Summary of the current state of the tag2upload discussion Simon McVittie <smcv@debian.org> - 2024-06-25 12:10 +0200
Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 12:20 +0200
Re: Summary of the current state of the tag2upload discussion Bart Martens <bartm@debian.org> - 2024-06-25 20:50 +0200
Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 20:40 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 21:10 +0200
Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 21:50 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 22:10 +0200
Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 23:40 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 12:10 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 18:00 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 19:20 +0200
Re: Summary of the current state of the tag2upload discussion Didier 'OdyX' Raboud <odyx@debian.org> - 2024-06-26 11:20 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 19:40 +0200
Re: Summary of the current state of the tag2upload discussion Bdale Garbee <bdale@gag.com> - 2024-06-25 20:10 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 20:20 +0200
Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-25 20:50 +0200
Re: Summary of the current state of the tag2upload discussion Philip Hands <phil@hands.com> - 2024-06-25 22:20 +0200
Re: Summary of the current state of the tag2upload discussion Didier 'OdyX' Raboud <odyx@debian.org> - 2024-06-26 11:20 +0200
Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-26 06:30 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-26 07:30 +0200
Re: Summary of the current state of the tag2upload discussion Philip Hands <phil@hands.com> - 2024-06-25 11:10 +0200
Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-25 14:30 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-24 18:20 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 02:20 +0200
Re: Summary of the current state of the tag2upload discussion Brian May <bam@debian.org> - 2024-06-25 03:00 +0200
Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-25 06:30 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 12:10 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Ansgar 🙀 <ansgar@43-1.org> - 2024-06-30 20:50 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Aigars Mahinovs <aigarius@debian.org> - 2024-06-30 22:00 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Simon Richter <sjr@debian.org> - 2024-07-01 06:20 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Andrey Rakhmatullin <wrar@debian.org> - 2024-07-01 08:00 +0200
Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Ansgar 🙀 <ansgar@43-1.org> - 2024-07-01 08:10 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 08:10 +0200
Re: Summary of the current state of the tag2upload discussion Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-25 23:20 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-26 11:10 +0200
Re: Summary of the current state of the tag2upload discussion Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-28 07:40 +0200
Re: Summary of the current state of the tag2upload discussion Guillem Jover <guillem@debian.org> - 2024-06-26 04:40 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 09:10 +0200
Re: Summary of the current state of the tag2upload discussion Sam Hartman <hartmans@debian.org> - 2024-06-26 14:20 +0200
Re: Summary of the current state of the tag2upload discussion Jun MO <royclark086@gmail.com> - 2024-06-25 20:10 +0200
Re: Summary of the current state of the tag2upload discussion Andrey Rakhmatullin <wrar@debian.org> - 2024-06-25 20:10 +0200
Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 21:10 +0200
Re: Summary of the current state of the tag2upload discussion Soren Stoutner <soren@debian.org> - 2024-06-28 04:50 +0200
Re: Summary of the current state of the tag2upload discussion Sam Hartman <hartmans@debian.org> - 2024-06-26 05:00 +0200
Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-23 20:40 +0200
Re: Summary of the current state of the tag2upload discussion Micha Lenk <micha@debian.org> - 2024-06-23 21:20 +0200
Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-24 11:40 +0200
Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-24 14:40 +0200
csiph-web