Hi Sean, hi all, On 12.07.19 09:00, Sean Whitton wrote: > On Fri 12 Jul 2019 at 04:30am +00, Scott Kitterman wrote: > >> Has there been any analysis of the security implications of this >> proposed service? > > Nothing formal, though of course we were thinking about it while we were > working on it. > >> If I am understanding the description correctly, the transformation >> from git tag (which is signed and can be verified) to a source package >> (which can be signed and verified) will happen on an internet facing >> server (typically this would happen on a local developer machine) and, >> unless there is additional magic around key management that isn't >> described in the blog post, the private key for a key the archive >> trusts would also be there. >> >> It seems to me that there is potential for a significant new attack >> surface that ought to be carefully assessed before this gets anywhere >> near wired up to feed into the archive from any kind of 'cloud' >> service. > > The current plan is for this machine to be firewalled such that it talks > only to salsa. For exactly the sort of reasons you describe, you won't > be able to use this with arbitrary git hosts. > > The only untrusted input is the git tags before their signature has been > verified against the Debian keyring. Maybe we could isolate fetching > and checking those tags from the part of the service which fetches the > whole git tree to produce a source package. Nonetheless it seems to me you are moving from trusting local signing to trusting upload by salsa, thereby making salsa more attractive for attackers. Best wishes Michael
Attachment:
signature.asc
Description: OpenPGP digital signature