On Tue, 22 Oct 2019 at 05:22:57 +0200, Bastian Blank wrote:
> - Files need to be compressed and are recorded as such, which is a hard
> problem and give rise to tools like pristine-tar and such.
My understanding is that this is deliberate: it means the only layer
with the hard requirement to be able to cope with malicious/crafted files
without introducing security vulnerabilities (whether that means arbitrary
code execution via parser bugs, or denial of service via "zip bombs")
is the PGP signature verification on the (uncompressed) .dsc. Everything
else is authenticated before being decompressed, either directly via
the PGP signature or via the authenticated hashes in the .dsc.
smcv
