[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#958559: marked as done (debian-kernel-handbook: document how to verify authenticity of git sources)



Your message dated Mon, 03 Oct 2022 00:20:59 +0000
with message-id <E1of9Cd-0008w8-Pw@fasolo.debian.org>
and subject line Bug#958559: fixed in kernel-handbook 1.0.20
has caused the Debian Bug report #958559,
regarding debian-kernel-handbook: document how to verify authenticity of git sources
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
958559: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958559
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debian-kernel-handbook
Version: 1.0.19
Severity: normal


Hi.

The handbook seems to use two git repos:
1) https://salsa.debian.org/kernel-team/linux.git
   for Debian's packaging itself
2) git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
   for the upstream soruces, e.g. when building packages for a newer
   vanilla version, or when bisecting


In both cases, the user would compile/execute code, which is effectively
unauthenticated and thus subject to all kinds of forgery


Sure, (1) uses TLS, but given the extreme weakness of the
whole X.509 ecosystem, with ~150 CAs many of them extremely
untrustworthy or situated in countries known to abuse these
CAs for hacking... and several thousands of intermediate CAs...
it's effectively the same as unauthenticated.

(2) even uses a plain git:// URL which is not even HTTPS protected.




It would be nice if the handbook tells people how to verify their
repos by proper git means, i.e. verify signautres on tags.

At least for (2), Linus signs the tags, and the Debian kernel source
package contains Linus' and Greg's keys, so a user could at least
quite simply verify everything up to and including the repective tag.


For the (1) I guess you guys don't use signatures, though. :-/



Cheers,
Chris

--- End Message ---
--- Begin Message ---
Source: kernel-handbook
Source-Version: 1.0.20
Done: Ben Hutchings <benh@debian.org>

We believe that the bug you reported is fixed in the latest version of
kernel-handbook, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 958559@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <benh@debian.org> (supplier of updated kernel-handbook package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 Oct 2022 01:56:35 +0200
Source: kernel-handbook
Architecture: source
Version: 1.0.20
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Closes: 958559
Changes:
 kernel-handbook (1.0.20) unstable; urgency=medium
 .
   [ Tomasz Warniełło ]
   * Update Debian version in scope to 10
 .
   [ Ben Hutchings ]
   * Update links to {net,serial} console documentation on www.kernel.org
   * Correct the filenames where debug-info is enabled in the linux package
   * Link to lore.kernel.org as preferred mail archive
   * Makefile: Update name of public pages directory in clean rule
   * Makefile: Generate Git version in a way that works with GitLab CI variables
   * d/salsa-ci.yml: Add CI configuration for salsa.debian.org
   * Makefile, d/salsa-ci.yml: Move pages update to CI
   * Change URL for kernel Git repository to use HTTP-S
   * Fix a plaintext HTTP URL in the Japanese translation
   * Change bisection instructions to include verifying upstream Git tags
     (Closes: #958559)
   * Change custom package building examples to use the bindeb-pkg target
   * Remove documentation of genorig.py's obsolete, insecure tarball support
   * Add new build-dependencies to bisection instructions
   * Refer to libncurses-dev instead of the now-transitional libncurses5-dev
   * Capitalise "Git" outside of command and package names
   * Update copyright dates
   * Fix reference to GRUB documentation, and drop reference to LILO
   * Remove long-outdated reference to binary module packages in the archive
   * Replace the long explanation of using module-assistant with just "m-a a-i"
   * Document explicitly how to install module-assistant
   * Introduce subsections for OOT builds with and without module-assistant
   * Document DKMS as the preferred method for OOT module builds
   * Briefly document interaction of Secure Boot with OOT modules
   * State that Salsa merge requests are now the preferred way to contribute
   * Include all authors in the contributor list
   * Revise the bug handling policy:
     - Remove reference to defunct kerneloops.org site
     - Remove mention of maintainers analysing oopses
     - Refer to bug trackers generally, not specifically bugzilla.kernel.org
     - Mention mail archives as possible existing upstream references
     - Document when and where a maintainer or submitter should report upstream
   * Makefile: Generalise translated build target
   * Disable building of Japanese translation since it is now very incomplete
 .
   [ Debian Janitor ]
   * Trim trailing whitespace.
   * Bump debhelper from old 11 to 12.
   * Set debhelper-compat version in Build-Depends.
Checksums-Sha1:
 48ef0b15c74594dd80e6906966b16e3e377e91f3 1705 kernel-handbook_1.0.20.dsc
 4fac3e3861fbadae829ffbd0f17ac85329575731 53056 kernel-handbook_1.0.20.tar.xz
 e61fde8ba9423d59ec831252dd9111f816b645cc 6296 kernel-handbook_1.0.20_amd64.buildinfo
Checksums-Sha256:
 dbd7c65b749f9894f7b000526b6f60fe1bf54bd68da8583b1d8a449817cc8604 1705 kernel-handbook_1.0.20.dsc
 b3a67748270f6dcdbd98efe31d0f26b68a1a9d190f5ece14ee9eb275ad970a7d 53056 kernel-handbook_1.0.20.tar.xz
 2fd09188be5816f7c08edf21ccf2950a928be12d2a22e5f72818610279481e74 6296 kernel-handbook_1.0.20_amd64.buildinfo
Files:
 d9e8b76d110fa08c541250e106a983d0 1705 doc optional kernel-handbook_1.0.20.dsc
 1366f70a5ca005a03ab709548f2e0ed5 53056 doc optional kernel-handbook_1.0.20.tar.xz
 608ed112159317de4399ac2bdb0100b1 6296 doc optional kernel-handbook_1.0.20_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmM6JzgACgkQ57/I7JWG
EQnLpRAAyyzhMTOr4eUK3JfncZNuKr9K/NaUmjRLwrb2lqAzJfGpE8erYmb/+qJf
gsL8tOoEk+meT7f6gISwL4rJ9aGcYe2nLvUdgF6WDAVZb1AXItj7P6pobZZkgbVG
ygkBWzcn/8oDWRMI7T9c7S9wvsI5taJBP/ORXi6JHirjCjz6iYbXuimvAXAyWCdF
VU7zop3VcEzqCB+gTq+eyC+CEPBGqqO/nUO71Gx4pTxGr+ng+KC0sDhaUoLl9y7w
ChzkrrGV5kh+1BfA40yG8Q0hHePCCJi5DpNcxVF8EUhpjI/KIMbuhpzQ0hh9xS5z
EckWgm9KgbYH2s0eKQF/HSXQiXljKm29K7ZYdBFDvzhuwCjgDs2329Ue36pD1mXI
+mmH8AfsRXvqzylMitr29MsRqZZT45602ZP8OBxz38BL3zETJNdiTFSY1UEdYEsH
r0SZGFl1leWkbDf94fLMTvlvjQ11/NhbhbvRmCBIQvnHMUprMbBXlrkXlfdVzSy/
a7IExeUC8VV3dP7E/iYAeMe9pCfqNk8Oo4DKJpCoe1IKbT0awGeAQB9OOG4w9jQU
glgOTaoRXmbjaWZQJWQ5dTIiRPhyqeGI7D79DM1WlnVBpSi2I5vQLEZseQVIRpbO
ulzGmVZUNZvks8DOr7VPvj8knMNCqMK/sPIe6+C4v06lpFWfjVk=
=P51e
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: