On 28/07/2019 10:58, Bernd Zeimetz wrote:
On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:
As a way to avoid relying on SHA-1, would it work to have git-debpush
include a longer hash in the tag message, and tag2upload also verify
that hash?
what exactly would you create that long hash of?
The signer's local files when they run git-debpush. (To be decided: how
to define the hash of a directory tree (as opposed to a single file),
i.e. "tar | sha256 like a .dsc" or "what git uses but sha256".)
The hash security is for ensuring that tag2upload is seeing the same
content as the signer did, and not something different an attacker
placed on Salsa. (If the attacker can get their changes into the
signer's local copy without the signer noticing, we'd have a problem
whatever method the signer uses to upload it.)
This does sort of raise the question of why not prefer "keep .dscs, but
hide them from the user and regenerate tarballs", but this might be
inappropriately reopening an already decided issue. (I remember it
being suggested before, but not what (if any) response this got.)
(+/=/- are relative to the existing proposal)
+ Security: dak doesn't have to trust dgit-repos-server
(avoids both weak hashes and potential bugs)
+ Compatibility: finding the signer's name from the .dsc still works
= Uploader only needs to do 'git debpush'
= Doesn't spend uploader's (possibly low/expensive) bandwidth on
uploading what Salsa already has
- Someone would have to implement it
(if that's me - not in Perl and I'm not a DD or a security specialist)
git-debpush:
create .dsc # as normal
create tag # as normal, only needs version number
sign tag # not strictly required, but since the next step
# needs a key anyway, good to automate best practice
sign .dsc
push tag to Salsa
upload .dsc to dgit-repos-server # but not its tarballs
dgit-repos-server --tag2upload:
receive .dsc
check .dsc signature # do this first to prevent DoS
# maybe also check the version number to prevent DoS by
# re-submitting old/non-Debian .dscs
fetch source from Salsa
create source package tarballs
check if these match the .dsc hashes # not strictly required as
# dak will do it again anyway, but easy
dput the .dsc+tarballs # as normal
# not sure where .changes fits into this:
# replace ".dsc" by ".dsc+.changes" throughout?
# or have dgit-repos-server create .changes as if it were a buildd?