Re: tag2upload service architecture and risk assessment - draft v2

To: debian-devel@lists.debian.org
Subject: Re: tag2upload service architecture and risk assessment - draft v2
From: Bastian Blank <waldi@debian.org>
Date: Wed, 28 Aug 2019 16:53:21 +0200
Message-id: <[🔎] 20190828145321.dzaof6zqupxsotyc@shell.thinkmo.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] tsl4l21o17j.fsf@suchdamage.org>
References: <[🔎] 23900.11950.21756.780115@chiark.greenend.org.uk> <[🔎] 20190828081834.ou2m56ljxtamedt7@shell.thinkmo.de> <[🔎] 23910.24884.273049.529368@chiark.greenend.org.uk> <[🔎] 11294330.t3Sc9I3aep@l5580> <[🔎] tsl4l21o17j.fsf@suchdamage.org>

Hi Sam

On Wed, Aug 28, 2019 at 09:42:56AM -0400, Sam Hartman wrote:
> During the DPL campaign, a number of people, including Joerg, made
> statements that I interpreted as explicitly wanting to make this change.
> That is, they wanted to move our authoritative source format to Git,
> possibly even getting rid of dscs in the medium future.

Maybe they should step up then and we can start discussing the larger
goal.  Because in the end they all need to solve the same problems.

We have to decide what guarantees the Debian archive should provide in
terms of verifyability.  This is however independent from the question
if there is Git involved or not.  And after both npm[1] and rubygems[2]
managed to provide trojaned binaries, it's more pressing then ever.

> At least in my mind, this is all predicated on believing that moving
> away from today's dscs toward git as authoritative source is actually a
> good idea.

What do you mean by "authoritative source"?  buildds should now download
a git repo, checkout the given sha1 and build it?  This means we can now
use gitlab-ci to build it, yeah!

However we often need to ship immutable source for license reasons,
sometimes even near the binaries.  So in some cases we can't refer to an
external Git repository.  How do you suggest we would handle them?

Currently the archive certifies the included source by signing the
Release file.  By retrieving the tar and verifying the checksum you can
be sure you've got the exact source that was included.  Do you know what
you have to do to actually get the same with Git?

> If you don't believe that, then you're never going to like this proposal
> at all.

I even provided the outline of a counterproposal providing almost the
same flexibility, but without sacrifice the current guarantees we have:
converting the git repo reproducibly into immutable source that we can
ship similar to what it is like now.  It just needs a special formatted
and signed tag (plus some source format changes to get rid of
pristine-tar).

> I guess you could decide you want tag2upload somehow even though you
> don't want that transition.

This thread is about _how_ it can be done, not if.

Bastian

[1]: https://github.com/dominictarr/event-stream/issues/116
[2]: https://github.com/rest-client/rest-client/issues/713
-- 
Superior ability breeds superior ambition.
		-- Spock, "Space Seed", stardate 3141.9

Reply to:

References:
- tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Bastian Blank <waldi@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Scott Kitterman <debian@kitterman.com>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: tag2upload service architecture and risk assessment - draft v2
Next by Date: Re: tag2upload service architecture and risk assessment - draft v2
Previous by thread: Re: tag2upload service architecture and risk assessment - draft v2
Next by thread: Re: tag2upload service architecture and risk assessment - draft v2
Index(es):
- Date
- Thread