Re: tag2upload (git-debpush) service architecture - draft
- To: Sam Hartman <hartmans@debian.org>
- Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org, Sean Whitton <spwhitton@spwhitton.name>
- Subject: Re: tag2upload (git-debpush) service architecture - draft
- From: Bastian Blank <waldi@debian.org>
- Date: Wed, 31 Jul 2019 22:37:33 +0200
- Message-id: <[🔎] 20190731203733.5rjmiwtuj27wmri2@shell.thinkmo.de>
- Mail-followup-to: Sam Hartman <hartmans@debian.org>, Ian Jackson <ijackson@chiark.greenend.org.uk>, "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org, Sean Whitton <spwhitton@spwhitton.name>
- In-reply-to: <[🔎] tsl5zni80xv.fsf@suchdamage.org>
- References: <[🔎] c565298c-ffae-4d45-d421-c15cd755072a@zoho.com> <[🔎] 1135ba05-c2dd-efc4-fcc5-94bc5f895a09@bzed.de> <[🔎] 8b38fd5f-b2c6-0745-d8ca-94686745f720@zoho.com> <[🔎] 23869.48339.192029.53108@chiark.greenend.org.uk> <[🔎] 1fea303b-96db-7cd6-5178-b9302d612b10@zoho.com> <[🔎] 20190730155437.cnsld27jqb2lgbbb@shell.thinkmo.de> <[🔎] 23873.48403.353433.835198@chiark.greenend.org.uk> <[🔎] 20190731183134.pcjqmjjwzg6witoa@shell.thinkmo.de> <[🔎] tsl5zni80xv.fsf@suchdamage.org>
Hi Sam
On Wed, Jul 31, 2019 at 03:21:32PM -0400, Sam Hartman wrote:
> Bastian> One last time: The user has to certify his upload in a way
> Bastian> the archive can verify.
> Let me see if I'm correctly understanding this requirement. You're
> saying that given the dsc presented to dak by the tag2upload service,
> dak needs to be able to verify the contents of the DSC based on the
> user's signature and no external data.
Yes.
dak will push the signed .dsc into the pool. This file and the complete
source package can then be verified independently by everyone. We don't
need to trust ftp-master's verification of the signature.
> So, if the tag2upload service does some transformation to produce the
> dsc:
> 1) dak needs to be able to verify the inputs to that transformation
> and
> 2) confirm those inputs are certified back to a user signature.
Not only dak, but everyone who downloads the source package needs to be
able to verify the user signature.
Ian's tag2upload tool wants to replace the user signature with a tool
signature. The user signature used as input for the tool would be not
longer verifyable, as the input is not provided. So everything after
that would need to trust the tool and the instrastructure it runs on.
This means we would need to trust it more than we need to trust
ftp-master for source package verification.
> Have I understood your requirement?
Yes.
Regards,
Bastian
--
Without followers, evil cannot spread.
-- Spock, "And The Children Shall Lead", stardate 5029.5
Reply to: