Package: git-buildpackage Version: 0.6.0~git20120601 Severity: normal Tags: patch
Currently, the message in the debian tag is just: "Debian release %s" % cp.version This is a bad idea, because it means that the signed message itself contains no mention of the project that is being worked on. Since all git repositories are conceptually the same git repository (some just have commits that others don't have), a malicious attacker could inject tags from project A into the repository for project B and the original developer's signature on those tags would be intact. This is potentially a security problem. For example: if there are automated build systems that pull from a repo and verify signed tags made by a known developer (and that developer contributes to multiple projects), this conflation could be used to make those systems build packages from an entirely other project. The attached patch enforces the inclusion of the name of the package into the tag's message. Regards, --dkg -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages git-buildpackage depends on: ii devscripts 2.12.6 ii git 1:1.7.10.4-1+wheezy1 ii python 2.7.3-4 ii python-dateutil 1.5+dfsg-0.1 ii python2.6 2.6.8-1.1 ii python2.7 2.7.3-6 Versions of packages git-buildpackage recommends: pn cowbuilder <none> ii pristine-tar 1.25 Versions of packages git-buildpackage suggests: pn python-notify <none> ii unzip 6.0-8 -- debconf-show failed
diff --git a/gbp/scripts/buildpackage.py b/gbp/scripts/buildpackage.py index 4137e66..f738f97 100755 --- a/gbp/scripts/buildpackage.py +++ b/gbp/scripts/buildpackage.py @@ -551,7 +551,7 @@ def main(argv): tag = repo.version_to_tag(options.debian_tag, cp.version) if options.retag and repo.has_tag(tag): repo.delete_tag(tag) - repo.create_tag(name=tag, msg="Debian release %s" % cp.version, + repo.create_tag(name=tag, msg="%s Debian release %s" % (cp['Source'], cp.version), sign=options.sign_tags, keyid=options.keyid) if options.posttag: sha = repo.rev_parse("%s^{}" % tag)