Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: Sean Whitton <spwhitton@spwhitton.name>, 810381@bugs.debian.org
Subject: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
From: Russ Allbery <rra@debian.org>
Date: Thu, 24 Aug 2017 17:24:49 -0700
Message-id: <[🔎] 87fucg5wa6.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 810381@bugs.debian.org
In-reply-to: <[🔎] 20170824234609.k3sb4r6sun6as5zt@khazad-dum.debian.net> (Henrique de Moraes Holschuh's message of "Thu, 24 Aug 2017 20:46:09 -0300")
References: <20160108162332.15659.58769.reportbug@kitterma-E6430> <87mvsgkmnz.fsf@hope.eyrie.org> <89C67432-0788-42A0-AFE7-5F987306BD58@kitterman.com> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 8760ddk354.fsf@hope.eyrie.org> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 87valcadlu.fsf@iris.silentflame.com> <[🔎] 20170824234609.k3sb4r6sun6as5zt@khazad-dum.debian.net> <20160108162332.15659.58769.reportbug@kitterma-E6430>

Henrique de Moraes Holschuh <hmh@debian.org> writes:
> On Thu, 24 Aug 2017, Sean Whitton wrote:

>> Seconded, but I think the integrity protection is a more important
>> reason to avoid the git protocol or http, so if we can come up with a
>> further change to reflect that it would be better.

> Attacking the integrity of the messages in transit requires active MITM
> attacks for all three protocols (http, https, git).

> https *without* strong certificate validation has no defense against
> active MITM, i.e. it does *not* protect message integrity against
> attacks.

> And since all of the required PKI for https to do strong certificate
> validation is out-of-band, we have to assume naive https use.

> So, no, this is not about integrity.  It is, at most, about privacy
> against passive eavesdropers.  If you want integrity, a lot more is
> needed.

Right, exactly.

That said, the *scheme* still offers "integrity protection" in the
technical protocol sense (it protects against the tampering of messages
between the two endpoints of the protocol scheme), so we can say
confidentiality and integrity protection in the Policy language.  People
just shouldn't assume this provides any meaningful integrity protection in
the semantic sense.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Russ Allbery <rra@debian.org>
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Next by Date: Bug#682347: mark 'editor' virtual package name as obsolete
Previous by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Next by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Index(es):
- Date
- Thread