On 15.06.24 00:37, Russ Allbery wrote:
dak should not be doing the source package transformation, because that is a much more complicated process and therefore a larger security attack surface. That's why it's done in a sandbox with a bunch of privilege separation.
… which incidentally is far more secure than what Joe Random DD does when he generates a source package.
The difference of course is that if somebody manages to compromise tag2upload then they could insert backdoors into any and all Debian packages, not just Joe's. On the other hand we can mitigate this by careful auditing and monitoring. There is no auditing and monitoring on Joe's development system, and the XZ backdoor has shown that you don't even need to compromise Joe; a hit on the tarball that Joe uses is sufficient.
By comparison, refusal to use tag2upload because of git's use of SHA1 (which is *really* difficult to exploit, as you also need to somehow replace the actual colliding object) seems somewhat irrational to me.
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
