Re: tag2upload (git-debpush) service architecture - draft
- To: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org, Sean Whitton <spwhitton@spwhitton.name>
- Subject: Re: tag2upload (git-debpush) service architecture - draft
- From: Bastian Blank <waldi@debian.org>
- Date: Tue, 30 Jul 2019 17:54:37 +0200
- Message-id: <[🔎] 20190730155437.cnsld27jqb2lgbbb@shell.thinkmo.de>
- Mail-followup-to: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org, Sean Whitton <spwhitton@spwhitton.name>
- In-reply-to: <[🔎] 1fea303b-96db-7cd6-5178-b9302d612b10@zoho.com>
- References: <[🔎] c565298c-ffae-4d45-d421-c15cd755072a@zoho.com> <[🔎] 1135ba05-c2dd-efc4-fcc5-94bc5f895a09@bzed.de> <[🔎] 8b38fd5f-b2c6-0745-d8ca-94686745f720@zoho.com> <[🔎] 23869.48339.192029.53108@chiark.greenend.org.uk> <[🔎] 1fea303b-96db-7cd6-5178-b9302d612b10@zoho.com>
On Sun, Jul 28, 2019 at 07:05:49PM +0100, Rebecca N. Palmer wrote:
> That suggests that working towards requiring the SHA-256 mode of git (which
> at least sort of exists since 2.21 [2], but I don't know if it's usable yet)
> might be a better use of effort.
Please keep in mind that the archive needs to verify this. How do you
intend to provide the required information within the existing source
package structure?
> [1] needs reproducibility, but simpler than pristine-tar in that we're only
> trying to create _a_ reproducible tarball (not match one created by
> upstream) and don't need to compress it (as it can be deleted after hashing
> - unfortunately tar doesn't obviously have a write-to-stdout option to allow
> tar | sha256). Reproducible builds suggests tar --sort=name --owner=0
> --group=0 --numeric-owner.
For now "git archive" with tar output seems to reproducible from jessie
(2.1.4) to sid (2.23 rc).
Another idea, however we would need to trust some decompressors:
The hypothetical tool creates a complete .dsc file with the names and
checksums of the uncompressed files. The user signed .dsc is put into
the tag.
The tag2upload service creates the .changes files with the names and
checksums of the compressed files. It is then signed by the upload
tool.
Accepting a package with dak would looks more like this:
- Verify signature on .changes.
- Check for source-only (forced by the upload tool flag).
- Check checksums of included files.
- Verify signature of .dsc.
- Check ACL against user signature on .dsc.
- Decompress (this poses a DoS threat!).
- Check checksums of included decompressed files.
- Either:
- accept compressed files as is.
- re-compress (also DoS, due to large files), calculate new checksums,
accept.
Due to the implicit compression of files listed in .dsc, I would say
this is a new source format.
Regards,
Bastian
--
A little suffering is good for the soul.
-- Kirk, "The Corbomite Maneuver", stardate 1514.0
Reply to: