Re: Validating tarballs against git repositories
On Mon, Apr 01, 2024 at 06:36:30PM +0200, Vincent Bernat wrote:
> On 2024-04-01 12:44, Bastian Blank wrote:
> > So in the end you still need to manually review all the stuff that the
> > tarball contains extra to the git. And for that I don't see that it
> > actually gives some helping hands and makes it easier.
> >
> > So I really don't see how this makes the problem in hand any better.
> > Again the workload of review is on the person doing the job. Aka we do
> > fragile manual work instead of possibly failing automatic work.
>
> I think that if Debian was using git instead of the generated tarball, this
> part of the backdoor would have just been included in the git repository as
> well. If we were able to magically switch everything to git (and we won't,
> we are not even able to agree on simpler stuff), I don't think it would have
> prevented the attack.
Nothing prevents such an attack. Prevent would be a 100% fix, which can
not exist. However what we can do is to make it harder to pull off.
If they had been forced to commit all the activation code into the repo,
it would have been directly visible for everyone. But instead, they
choose to only ship it in the tarballs.
That's why I asked if this would make it better, by removing this manual
review task from the maintainer.
Bastian
--
I object to intellect without discipline; I object to power without
constructive purpose.
-- Spock, "The Squire of Gothos", stardate 2124.5
Reply to: