Re: A thought experiment regarding tag2upload and trust

To: Scott Kitterman <debian@kitterman.com>
Cc: debian-vote@lists.debian.org
Subject: Re: A thought experiment regarding tag2upload and trust
From: Russ Allbery <rra@debian.org>
Date: Mon, 17 Jun 2024 08:48:03 -0700
Message-id: <[🔎] 87tthrvado.fsf@hope.eyrie.org>
In-reply-to: <[🔎] BCB4B1F7-09C9-4650-B18A-BB1849E54614@kitterman.com> (Scott Kitterman's message of "Mon, 17 Jun 2024 05:37:46 +0000")
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 874j9u8tnu.fsf@hands.com> <[🔎] 20240617050019.oxmnjavykm465ma2@shell.thinkmo.de> <[🔎] 87cyogywf6.fsf@hope.eyrie.org> <[🔎] BCB4B1F7-09C9-4650-B18A-BB1849E54614@kitterman.com>

Scott Kitterman <debian@kitterman.com> writes:

> I think if you want to step away from the implementation details, the
> more abstract point is that you don't need data from outside the archive
> (or a mirror of the archive) in order to verify that the source package
> you downloaded has not been modified since then and who uploaded it.

tag2upload provides all of this.  It provides both a verification that the
source package has not been modified and detailed information on who
uploaded it.

The information it provides is not trustworthy if the tag2upload server
has been compromised.  The signature on the the *.dsc file today is not
trustworthy if the system on which the uploader generated the source
package has been compromised.  I consider these to be parallel cases
since, in the tag2upload design, the tag2upload server *is* the system on
which the maintainer directs the construction the source package.

The design replaces a highly hetrogenous variety of workflows with a
centralized system that is also a centralized attack target.  This has
various security properties and trade offs about which we can disagree.
But that disagreement necessarily requires some nuance to state it
precisely.  People keep trying to discard the nuance and, as a result, at
least in my opinion, make claims that are either incorrect or simplified
to the point of uselessness.

> As it happens though you can't tell if what's in the archive matches the
> uploader intent with tag2upload either.

Correct, and this is exactly why I said that I don't consider this a
useful way to talk about security guarantees.

With tag2upload, you can trace the provenance of the source package
*closer* to maintainer intent, and to a much richer format that is easier
to audit.  I think this is a security benefit.

> All you can vet is that the tag2upload service claims it does.  You may
> think that's better, but neither of them are entirely free of risk.

I completely agree with this.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- A thought experiment regarding tag2upload and trust
  - From: Philip Hands <phil@hands.com>
- Re: A thought experiment regarding tag2upload and trust
  - From: Bastian Blank <waldi@debian.org>
- Re: A thought experiment regarding tag2upload and trust
  - From: Russ Allbery <rra@debian.org>
- Re: A thought experiment regarding tag2upload and trust
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: A thought experiment regarding tag2upload and trust
Next by thread: Re: A thought experiment regarding tag2upload and trust
Index(es):
- Date
- Thread