Re: git & Debian packaging sprint report
On July 10, 2019 8:10:40 AM UTC, Sean Whitton <spwhitton@spwhitton.name> wrote:
>Hello,
>
>Over the weekend, Ian Jackson and I met in Cambridge, U.K. to work on
>the design and implementation of tools and processes relating to git &
>Debian packaging.
>
>Main achievement
>----------------
>
>We designed and implemented a system to make it possible for DDs to
>upload new versions of packages by simply pushing a specially formatted
>git tag to salsa.
>
>Please see this blog post to learn about how it works:
>https://spwhitton.name/blog/entry/tag2upload/
>
>While the cloud service part of this system has not yet been deployed,
>and so you can't just tag to upload yet, the blog post explains how you
>can run the cloud service in an ad-hoc mode on your laptop, and thereby
>get a feel for how it works.
...
Thanks for the detailed explanation.
Has there been any analysis of the security implications of this proposed service?
If I am understanding the description correctly, the transformation from git tag (which is signed and can be verified) to a source package (which can be signed and verified) will happen on an internet facing server (typically this would happen on a local developer machine) and, unless there is additional magic around key management that isn't described in the blog post, the private key for a key the archive trusts would also be there.
It seems to me that there is potential for a significant new attack surface that ought to be carefully assessed before this gets anywhere near wired up to feed into the archive from any kind of 'cloud' service.
Scott K
Reply to: