Re: A thought experiment regarding tag2upload and trust
On June 17, 2024 5:23:41 AM UTC, Russ Allbery <rra@debian.org> wrote:
>Bastian Blank <waldi@debian.org> writes:
>
>> But maybe you can answer the question: Given the .dsc file, how can
>> you, and more critical the public, verify that you and only you signed
>> that upload?
>
>Why is this, specifically, important?
>
>I can turn that question around: given the .dsc file, how can I find the
>Git tree that the maintainer vetted and intended to upload to the archive?
>Why should I have any faith in the archive if I cannot verify that?
>
>I don't think this is a useful way to talk about the security guarantees
>that we can provide. You are massively overindexing on a very specific
>implementation detail that does not prove what you seem to think it
>proves.
>
I think if you want to step away from the implementation details, the more abstract point is that you don't need data from outside the archive (or a mirror of the archive) in order to verify that the source package you downloaded has not been modified since then and who uploaded it.
You may not think that this property of our package archive is particularly important, but not everyone agrees.
As it happens though you can't tell if what's in the archive matches the uploader intent with tag2upload either. All you can vet is that the tag2upload service claims it does. You may think that's better, but neither of them are entirely free of risk.
Scott K
Reply to: