On Fri, Mar 29, 2024 at 11:29:01PM -0700, Russ Allbery wrote: >... > In other words, we should make sure that breaking the specific tactics > *this* attacker used truly make the attacker's life harder, as opposed to > making life harder for Debian packagers while only forcing a one-time, > minor shift in attacker tactics. I *think* I'm mostly convinced that > forcing the attacker into Git commits is a useful partial defense, but I'm > not sure this is obviously true. >...
There are also other reasons why using tarballs by default is no longer a good option. In many cases our upstream source is the unsigned tarball Github automatically provides for every tag, which invites MITM attacks. The hash of these tarballs is expected to change over time, which makes it harder to reliably verify that the upstream sources we have in the archive match what is provided upstream. cu Adrian