Re: git & Debian packaging sprint report

To: debian-devel@lists.debian.org
Subject: Re: git & Debian packaging sprint report
From: Russ Allbery <rra@debian.org>
Date: Mon, 15 Jul 2019 10:22:58 -0700
Message-id: <[🔎] 87ims3fc0d.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 877e8nbuu5.fsf@zephyr.silentflame.com> (Sean Whitton's message of "Fri, 12 Jul 2019 08:00:50 +0100")
References: <[🔎] 87bly2nwcf.fsf@iris.silentflame.com> <[🔎] 18ECEC09-EF0B-439E-A329-6739C3572A0C@kitterman.com> <[🔎] 877e8nbuu5.fsf@zephyr.silentflame.com>

Sean Whitton <spwhitton@spwhitton.name> writes:

> The current plan is for this machine to be firewalled such that it talks
> only to salsa.  For exactly the sort of reasons you describe, you won't
> be able to use this with arbitrary git hosts.

> The only untrusted input is the git tags before their signature has been
> verified against the Debian keyring.  Maybe we could isolate fetching
> and checking those tags from the part of the service which fetches the
> whole git tree to produce a source package.

Just to make sure I fully understand the model, is the idea that this
system will verify the signature on the Git tag, construct a source
package from the signed archive, and then sign the resulting source
package with some internal key?

If so, I think that security model is roughly equivalent to the automatic
signing of binary packages by buildds, so probably doesn't introduce a new
vulnerability, but my understanding was that the identity of the signature
on the source package was used in various other places.  Presumably we
would need to introduce some new metadata so that the uploader is mapped
properly to the Git tag signer, rather than to some internal identity of
the source package construction service.

Also, doesn't the archive publish the signed *.dsc files currently?  I
believe this would mean that we would lose some published information from
those files that we currently have (namely which DD and which key signed
the package, which could be useful data in some incident response
scenarios).  That said, there's been some discussion for some time about
having the archive sign all the *.dsc files instead of keeping the
uploader signature, which may be from an expired or unverifiable key
(particularly for packages that haven't been uploaded in some time).

There are also some interesting nuances here around handling DM packages,
where not everyone with a key in the keyring can upload every package,
although the obvious way to address that is probably for this service to
do the same DM checks that ftpmaster would normally do.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: git & Debian packaging sprint report
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Scott Kitterman <debian@kitterman.com>
- Re: git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: git & Debian packaging sprint report
Next by Date: Re: git & Debian packaging sprint report
Previous by thread: Re: git & Debian packaging sprint report
Next by thread: Re: git & Debian packaging sprint report
Index(es):
- Date
- Thread