[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload (git-debpush) service architecture - draft

Hello Bastian,

On Wed 31 Jul 2019 at 10:37PM +02, Bastian Blank wrote:

> On Wed, Jul 31, 2019 at 03:21:32PM -0400, Sam Hartman wrote:
>>     Bastian> One last time: The user has to certify his upload in a way
>>     Bastian> the archive can verify.
>> Let me see if I'm correctly understanding this requirement.  You're
>> saying that given the dsc presented to dak by the tag2upload service,
>> dak needs to be able to verify the contents  of the DSC based on the
>> user's signature and no external data.
>
> Yes.
>
> dak will push the signed .dsc into the pool.  This file and the complete
> source package can then be verified independently by everyone.  We don't
> need to trust ftp-master's verification of the signature.
>
>> So, if the tag2upload service does some transformation to produce the
>> dsc:
>> 1) dak needs to be able to verify the inputs to that transformation
>> and
>> 2) confirm those inputs are certified back to a user signature.
>
> Not only dak, but everyone who downloads the source package needs to be
> able to verify the user signature.
>
> Ian's tag2upload tool wants to replace the user signature with a tool
> signature.  The user signature used as input for the tool would be not
> longer verifyable, as the input is not provided.  So everything after
> that would need to trust the tool and the instrastructure it runs on.
> This means we would need to trust it more than we need to trust
> ftp-master for source package verification.

Okay, thanks.

I think that the Git-Tag-Info field solves this.  With that field
available, anyone can do the following to perform an equivalent
verification:

1. fetch the .dsc from the archive

2. fetch, from dgit-repos, the tag given in the Git-Tag-Info field of
   the .dsc

3. check the uploader's signature on that tag against the Debian
   keyring/the Debian maintainers keyring/whatever it is the user wants
   to trust

4. produce a .dsc from the tag by running `dgit --quilt=foo
   build-source`, where 'foo' is a value from the signed metadata in the
   tag

5. unpack the .dscs from steps (1) and (4) with `dpkg-source -x`

6. the verification succeeds if the two unpacked trees are the same.

This process does not require trusting either ftp-master or dgit-repos.
Also, it should be noted that the tag cannot be deleted from dgit-repos
(except by a service administrator).  So we don't have to rely on salsa
either.

Given the above, I believe your requirement is satisfied by tag2upload,
with only the addition of the new Git-Tag-Info field.  Perhaps you could
confirm my reasoning here.

-- 
Sean Whitton
Reply to: