[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload (git-debpush) service architecture - draft

Bernd Zeimetz writes:
> On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:> As a way to avoid relying
> on SHA-1, would it work to have git-debpush
>> include a longer hash in the tag message, and tag2upload also verify
>> that hash?
>>
> The other idea would be to convince git upstream to use something
> better than sha1 - and after a bit of searching, I found
[...]
> So I think the best thing to do is to get sha256 working in git and
> force the usage of sha256 if you want to sign a tag for upload.

That will take quite a while; we would probably need a version of git
supporting that in stable.

There are also other issues, for example:

 - Such a service would bypass various sanity checks on the archive
   side, including various permission checks.

 - Such a service would need to properly validate the PGP signature.
   The archive really shouldn't rely on a third-party service for this.
   (In particular the service in question here doesn't do that as far as
   I can tell.)

Ansgar
Reply to: