On Mon, 2019-07-15 at 20:54 +0200, Ansgar Burchardt wrote: > Russ Allbery writes: > > If so, I think that security model is roughly equivalent to the automatic > > signing of binary packages by buildds, so probably doesn't introduce a new > > vulnerability, > > It doesn't rely on strong cryptographic hashes to guarantee integrity. > To quote Wikipedia: > > +--- > > Revision control systems such as Git, Mercurial, and Monotone use > > SHA-1 not for security but to identify revisions and to ensure that > > the data has not changed due to accidental corruption. > +---[ https://en.wikipedia.org/wiki/SHA-1#Data_integrity ] > > But developers could instead just sign artifacts using a strong > cryptographic hash that will be included in the source package; for > example the .orig.tar and .debian.tar which can be made reproducible > (git-archive is supposed to be reproducible; compression might not be so > just sign the uncompressed version). [...] There is already a convention for adding tarball signatures using git notes, though it would need to be adapted for the two tarballs in non- native packages. See <https://manpages.debian.org/buster/cgit/cgitrc.5.en.html#SIGNATURES> and the "git-archive-signer" script in <https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/>. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports.
Attachment:
signature.asc
Description: This is a digitally signed message part