Re: Security review of tag2upload
Hi Scott (2024.06.16_16:18:35_+0000)
> There are different risks for the end user. Currently dget uses dscverify by
> default before unpacking a source package. I'm not an expert at all, so I
> don't have any appreciate for the perceived risks that led to that being the
> default (IIRC, it wasn't always). I am assuming that wasn't random. I'm not
> sure how that would work in this new paradigm.
This mechanism is also far from perfect. The signature was made when the
source package was built, and that could have been several releases
ago for a slow-moving package. This key may or may not be present in any
of the keyring packages on the user's machine, and it could be expired.
This check is done in dget, because it's all it can really do. There
are many different use-cases for dget. In some of them it's a useful
check, for others maybe not.
A tag2upload source package will have been signed with tag2upload's key.
So, assuming this is available in a local keyring, you can still verify
that this was a package that was signed by tag2upload for uploading to
Debian. That actually tells you more than being signed directly by a
developer, because you know it was uploaded to the Debian archive.
I imagine many tools like dscverify will have to learn to extract the
metadata added by tag2upload, to name the tag signer.
Stefano
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
Reply to: