[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] General Resolution to deploy tag2upload

Quoting Luca Boccassi (2024-06-12 14:40:01)
> On Wed, 12 Jun 2024 at 12:52, Ian Jackson
> <ijackson@chiark.greenend.org.uk> wrote:
> >
> > Luca Boccassi writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> > > As far as I can tell, from what was shared in these documents, the
> > > security feature needed is an append-only repository, with safeguards
> > > that an individual developer cannot bypass. As far as I can tell, the
> > > same setup can be achieved with repository ACLs, and it would have the
> > > same vulnerability: an admin with full access to the server can bypass
> > > such measures, in either case. Is there something else I am missing?
> >
> > There is also an assurance question.  Salsa is running gitlab, which
> > is an extremely complicated piece of software with very many features.
> > Any one of those features (which are constantly changing) offers an
> > opportunity for compromise of Salsa.  Also, we don't have the
> > resources to audit all the code comeing from gitlab upstream.
> >
> > The attack surface of the dgit repos server is much smaller.  Its
> > supply chain integrity is much better.  So it is much less likely to
> > be compromised.  (Also, diversity of implementation is helpful.)
> 
> Given we had a very well done and professional security review (thanks
> Russ!), I think we should defer to that and take it into serious
> consideration, and its conclusion seems quite clear to me in this
> regard:
> 
> "My security recommendation in this case is therefore to centralize
> the risk as much as possible, moving it off of individual uploader
> systems with unknown security profiles and onto a central system that
> can be analyzed and iteratively improved."
> 
> So I don't think this is a good argument. One system is better than
> two. And we need to secure all of it anyway, as Salsa is a component
> of the solution anyway.

I read the analysis more that two systems is better than one thousand
systems.

I.e. centralizing (compared to building done on developers' systems) to a
system that can be analyzed (which Gitlab is quite a challenge to do).

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: