Re: Using release-monitoring.org [was: uscan roadmap]

To: Scott Kitterman <debian@kitterman.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Using release-monitoring.org [was: uscan roadmap]
From: Wouter Verhelst <wouter@debian.org>
Date: Tue, 7 Dec 2021 16:52:38 +0200
Message-id: <[🔎] Ya91NvOiKmYMPC5O@pc181009.grep.be>
In-reply-to: <[🔎] 02288484-633F-4158-AC7A-FB05B87A8E54@kitterman.com>
References: <[🔎] d01f8155-3ce4-2aa9-d29f-f0147c6d9d48@debian.org> <[🔎] bc3374700f1f6321d2fdad4600a70530cbf15b3d.camel@debian.org> <[🔎] CAKZYK4-UUo4LyLzTpaHim6v2rKoZ9ASZMdgeLO_p9y+aJs-KZg@mail.gmail.com> <[🔎] 87c158f9f481d80f60212929e8ccb3b49952db74.camel@debian.org> <[🔎] CAKZYK4__L1hYhsPEaZttrLnt6GhbAMgMM2E3yvmjLv0k5oYMsw@mail.gmail.com> <[🔎] 2c818fe987397a34f2d7fb722719716385afed52.camel@debian.org> <[🔎] CAKZYK49N7Q4A3+9byzyiWinkmNkX8zMDrSzS0UTtDVCQ2HtxTw@mail.gmail.com> <[🔎] 02288484-633F-4158-AC7A-FB05B87A8E54@kitterman.com>

On Sat, Dec 04, 2021 at 02:43:56AM +0000, Scott Kitterman wrote:
> I think that there's a security consideration associated with all these
> proposals for externalizing finding upstream updates.  Currently watch files
> and at least the redirectors I know of all run on Debian infrastructure or on
> the systems of the Debian person doing the update.

I don't see how? At least repology just tells you "there is a new
upstream release", it doesn't tell you where to get it. It's up to the
maintainer to know where to download a new release.

Obviously if upstream is compromised and a new "release" is produced
that contains malicious code then there is a problem, but that is a
problem that is neither exacerbated nor mitigated by using repology.

> If one of these services were ever compromised it would provide a
> vector for offering substitute upstream code (at least for the cases
> where upstream releases aren't both signed by upstream and verified in
> Debian).  I find that prospect concerning.

Validating that upstream releases are valid is part of the job of being
a maintainer in Debian. Having some helper service that tells you there
is a new release doesn't change that.

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

Reply to:

References:
- uscan roadmap
  - From: Yadd <yadd@debian.org>
- Re: uscan roadmap
  - From: Paul Wise <pabs@debian.org>
- Using release-monitoring.org [was: uscan roadmap]
  - From: Stephan Lachnit <stephanlachnit@debian.org>
- Re: Using release-monitoring.org [was: uscan roadmap]
  - From: Paul Wise <pabs@debian.org>
- Re: Using release-monitoring.org [was: uscan roadmap]
  - From: Stephan Lachnit <stephanlachnit@debian.org>
- Re: Using release-monitoring.org [was: uscan roadmap]
  - From: Paul Wise <pabs@debian.org>
- Re: Using release-monitoring.org [was: uscan roadmap]
  - From: Stephan Lachnit <stephanlachnit@debian.org>
- Re: Using release-monitoring.org [was: uscan roadmap]
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Bug#1001275: ITP: obs-downstream-keyer -- plugin for OBS Studio that adds a Downstream Keyer (DSK) dock
Next by Date: Re: Bug#995212: chromium: Update to version 94.0.4606.61 (security-fixes)
Previous by thread: Re: Using release-monitoring.org [was: uscan roadmap]
Next by thread: Re: Using release-monitoring.org [was: uscan roadmap]
Index(es):
- Date
- Thread