Hello Bastian, On Wed 31 Jul 2019 at 10:37PM +02, Bastian Blank wrote:
> On Wed, Jul 31, 2019 at 03:21:32PM -0400, Sam Hartman wrote: >> Bastian> One last time: The user has to certify his upload in a way >> Bastian> the archive can verify. >> Let me see if I'm correctly understanding this requirement. You're >> saying that given the dsc presented to dak by the tag2upload service, >> dak needs to be able to verify the contents of the DSC based on the >> user's signature and no external data. > > Yes. > > dak will push the signed .dsc into the pool. This file and the complete > source package can then be verified independently by everyone. We don't > need to trust ftp-master's verification of the signature. > >> So, if the tag2upload service does some transformation to produce the >> dsc: >> 1) dak needs to be able to verify the inputs to that transformation >> and >> 2) confirm those inputs are certified back to a user signature. > > Not only dak, but everyone who downloads the source package needs to be > able to verify the user signature. > > Ian's tag2upload tool wants to replace the user signature with a tool > signature. The user signature used as input for the tool would be not > longer verifyable, as the input is not provided. So everything after > that would need to trust the tool and the instrastructure it runs on. > This means we would need to trust it more than we need to trust > ftp-master for source package verification. Okay, thanks. I think that the Git-Tag-Info field solves this. With that field available, anyone can do the following to perform an equivalent verification: 1. fetch the .dsc from the archive 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info field of the .dsc 3. check the uploader's signature on that tag against the Debian keyring/the Debian maintainers keyring/whatever it is the user wants to trust 4. produce a .dsc from the tag by running `dgit --quilt=foo build-source`, where 'foo' is a value from the signed metadata in the tag 5. unpack the .dscs from steps (1) and (4) with `dpkg-source -x` 6. the verification succeeds if the two unpacked trees are the same. This process does not require trusting either ftp-master or dgit-repos. Also, it should be noted that the tag cannot be deleted from dgit-repos (except by a service administrator). So we don't have to rely on salsa either. Given the above, I believe your requirement is satisfied by tag2upload, with only the addition of the new Git-Tag-Info field. Perhaps you could confirm my reasoning here. -- Sean Whitton