Bug#958559: debian-kernel-handbook: document how to verify authenticity of git sources
Package: debian-kernel-handbook
Version: 1.0.19
Severity: normal
Hi.
The handbook seems to use two git repos:
1) https://salsa.debian.org/kernel-team/linux.git
for Debian's packaging itself
2) git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
for the upstream soruces, e.g. when building packages for a newer
vanilla version, or when bisecting
In both cases, the user would compile/execute code, which is effectively
unauthenticated and thus subject to all kinds of forgery
Sure, (1) uses TLS, but given the extreme weakness of the
whole X.509 ecosystem, with ~150 CAs many of them extremely
untrustworthy or situated in countries known to abuse these
CAs for hacking... and several thousands of intermediate CAs...
it's effectively the same as unauthenticated.
(2) even uses a plain git:// URL which is not even HTTPS protected.
It would be nice if the handbook tells people how to verify their
repos by proper git means, i.e. verify signautres on tags.
At least for (2), Linus signs the tags, and the Debian kernel source
package contains Linus' and Greg's keys, so a user could at least
quite simply verify everything up to and including the repective tag.
For the (1) I guess you guys don't use signatures, though. :-/
Cheers,
Chris
Reply to: