Re: tag2upload (git-debpush) service architecture - draft
Ansgar writes ("Re: tag2upload (git-debpush) service architecture - draft"):
> There are also other issues, for example:
>
> - Such a service would bypass various sanity checks on the archive
> side, including various permission checks.
What permission checks are bypassed ? The current service does expect
to perform the DD/DM check on behalf of the archive. But that is
straightforward.
> - Such a service would need to properly validate the PGP signature.
> The archive really shouldn't rely on a third-party service for this.
> (In particular the service in question here doesn't do that as far as
> I can tell.)
My prototype already validates the PGP signature on the signed tag it
uses as its input and instructions. That seemed obviously essential
to me even for a demo. (Particularly as even in the demo in theory
the machinery could be subverted by a malicious salsa, otherwise.)
I had the code for that and the DM/DD permission check already,
because they were needed for the dgit git server, which already has
a permissions implementation equivalent to that of the archive (and
using the DAM-supplied data files for that purpose).
Perhaps I have misunderstood what you mean by "validate the PGP
signature".
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: