Re: Security review of tag2upload

To: HW42 <hw42@ipsumj.de>, debian-vote@lists.debian.org, Russ Allbery <rra@debian.org>
Subject: Re: Security review of tag2upload
From: Salvo Tomaselli <tiposchi@tiscali.it>
Date: Wed, 26 Jun 2024 09:25:37 +0200
Message-id: <[🔎] 5247280.31r3eYUQgx@galatea>
In-reply-to: <[🔎] 87wmmdkdwi.fsf@hope.eyrie.org>
References: <[🔎] 87wmmv7xdz.fsf@hope.eyrie.org> <[🔎] 875xtxlwme.fsf@hope.eyrie.org> <[🔎] 87wmmdkdwi.fsf@hope.eyrie.org>

> 
> Building a source package is a lot more opaque and gives the attacker a
> lot more room to hide.  Adding malicious code to tar to inject something
> into source packages is a lot quieter

How many packages have a pubkey for the orig file?

Perhaps we should encourage upstreams to sign more?

I guess that means giving up pypi as a place to download from, since they have 
removed support for signatures.

But for example kde tarballs are all signed.

-- 
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
                -- Galileo Galilei

https://ltworf.codeberg.page/

Reply to:

Follow-Ups:
- Re: Security review of tag2upload
  - From: Jonas Smedegaard <jonas@jones.dk>

References:
- Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Summary of the current state of the tag2upload discussion
Next by Date: Re: Security review of tag2upload
Previous by thread: Re: Security review of tag2upload
Next by thread: Re: Security review of tag2upload
Index(es):
- Date
- Thread