Re: tag2upload service architecture and risk assessment - draft v2

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Sam Hartman <hartmans@debian.org>, debian-devel@lists.debian.org, ftpmaster@debian.org
Subject: Re: tag2upload service architecture and risk assessment - draft v2
From: Sam Hartman <hartmans@debian.org>
Date: Tue, 27 Aug 2019 13:47:15 -0400
Message-id: <[🔎] tsl8srepkkc.fsf@suchdamage.org>
In-reply-to: <[🔎] 23909.26130.546529.438293@chiark.greenend.org.uk> (Ian Jackson's message of "Tue, 27 Aug 2019 18:19:14 +0100")
References: <[🔎] 23900.11950.21756.780115@chiark.greenend.org.uk> <[🔎] 20190827124128.wabbhitmizv77h56@shell.thinkmo.de> <[🔎] tsld0gqpujk.fsf@suchdamage.org> <[🔎] 23909.24490.724219.512423@chiark.greenend.org.uk> <[🔎] 23909.26130.546529.438293@chiark.greenend.org.uk>

>>>>> "Ian" == Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

    Ian> From my reading of the thread, it seems that there are two
    Ian> disputed design demands, which are related.

    Ian> The most basic demand is that the archive should be able to
    Ian> verify the whole contents of the .dsc, given data signed by the
    Ian> user.

    Ian> The risk assessment explains why I don't think this is an
    Ian> appropriate requirement, but I will go through it again:

    Ian> The mapping from git tag to .dsc is nontrivial.  git tag to
    Ian> .dsc construction (or verification) is complex and offers a
    Ian> large attack surface to the incoming source code.  It ought not
    Ian> to be done near a powerful key such as the dak master archive
    Ian> signing key.

It's nontrivial in your design.  It sounds like in Ansger's approach
where effectively all the data you need for the dsc is included in the
tag, it would be a lot more trivial.  Obviously that design fails to
give you some things you value.  But it seems to me at least that if you
are willing to do significantly more work on the tagger's computer you
can make tag to dsc verification a lot simpler.

Also, I think the question of whether third-parties should be able to
verify that a dsc was properly generated without going back to a git tag
is interesting.

    Ian> The second demand (or the second aspect) is that all of this
    Ian> verification, by the archive, should be doable without relying
    Ian> on the git SHA-1 object system.


If we get down to a point where this is a major issue, I'm happy to step
in as someone who has a lot of protocol security design experience and
reach out to other Internet security experts for their review.  I could
explain why I think relying on Git's integrity mechanisms for verifying
the authenticity of objects stored in Git (which is exactly what you are
doing) is a reasonable thing to do from a security standpoint.  My
answer will look a lot like Russ's answer.

I understand why SHA-1 looks worrying, and I was initially worried.  I'd
need to do a bit more review before I'd feel comfortable doing a write
up on this, but I think Russ's analysis is looking fairly good from
where I sit now.

Reply to:

Follow-Ups:
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Bastian Blank <waldi@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Sam Hartman <hartmans@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: Consensus Call: Git Packaging Round 1
Next by Date: Re: Consensus Call: Git Packaging Round 1
Previous by thread: Re: tag2upload service architecture and risk assessment - draft v2
Next by thread: Re: tag2upload service architecture and risk assessment - draft v2
Index(es):
- Date
- Thread