Re: Validating tarballs against git repositories

[Russ Allbery <rra@debian.org>]

Jeremy Stanley <fungi@yuggoth.org> writes:
> On 2024-03-29 23:29:01 -0700 (-0700), Russ Allbery wrote:
> [...]
>> if the Git repository is somewhere other than GitHub, the
>> malicious possibilities are even broader.
> [...]

> I would not be so quick to make the same leap of faith. GitHub is
> not itself open source, nor is it transparently operated. It's a
> proprietary commercial service, with all the trust challenges that
> represents. Long, long before XZ was a twinkle in anyone's eye,
> malicious actors were already regularly getting their agents hired
> onto development teams to compromise commercial software. Just look
> at the Juniper VPN backdoor debacle for a fairly well-documented
> example (but there's strong evidence this practice dates back well
> before free/libre open source software even, at least to the 1970s).

This is a valid point: let me instead say that the malicious possibilities
are *different*.  All of your points about GitHub are valid, but the
counterexample I had in mind is one where the malicious upstream runs the
entire Git hosting architecture themselves and can make completely
arbitrary changes to the Git repository freely.  I don't think we know
everything that is possible to do in that situation.  I think it would be
difficult (not impossible, but difficult) to get into that position at
GitHub, whereas it is commonplace among self-hosted projects.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>