On 25.06.24 01:26, HW42 wrote:
But you are trusting the Developer system that signs the tag or source package anyway. If compromised it can simply sign malicious code in both cases.
It's not that easy.Hiding compromised code in our tarballs is easy. Nobody will ever look at them (ordinarily) and you only need a single shell script running as the developer in question; given inotify it doesn't even show up in "top" while it waits for an opportunity to strike.
Hiding compromised code in git is difficult, given that actual people routinely look at commit histories and diffstats and diffs, esp. right between "I create the signed tag" and "I push the t2u tag to Salsa" (we could even tell the push script to show the git log by default before doing so).
If you want to hide [part of] a commit from the developer you'd need to replace the actual git executable with a copy that's been compromised in various interesting and nontrivial ways.
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature