Russ Allbery writes: > If so, I think that security model is roughly equivalent to the automatic > signing of binary packages by buildds, so probably doesn't introduce a new > vulnerability,
It doesn't rely on strong cryptographic hashes to guarantee integrity. To quote Wikipedia: +--- | Revision control systems such as Git, Mercurial, and Monotone use | SHA-1 not for security but to identify revisions and to ensure that | the data has not changed due to accidental corruption. +---[ https://en.wikipedia.org/wiki/SHA-1#Data_integrity ] But developers could instead just sign artifacts using a strong cryptographic hash that will be included in the source package; for example the .orig.tar and .debian.tar which can be made reproducible (git-archive is supposed to be reproducible; compression might not be so just sign the uncompressed version). We shouldn't go back to trusting SHA-1. > There are also some interesting nuances here around handling DM packages, > where not everyone with a key in the keyring can upload every package, > although the obvious way to address that is probably for this service to > do the same DM checks that ftpmaster would normally do. We have other permissions checks as well; they shouldn't be reimplemented in different places. Instead the archive (dak) should know who signed the package. Ansgar
