Matthias Urlichs <matth...@urlichs.de> writes: > On 15.06.24 00:37, Russ Allbery wrote:
>> dak should not be doing the source package transformation, because that >> is a much more complicated process and therefore a larger security >> attack surface. That's why it's done in a sandbox with a bunch of >> privilege separation. > … which incidentally is far more secure than what Joe Random DD does > when he generates a source package. > The difference of course is that if somebody manages to compromise > tag2upload then they could insert backdoors into any and all Debian > packages, not just Joe's. On the other hand we can mitigate this by > careful auditing and monitoring. There is no auditing and monitoring on > Joe's development system, and the XZ backdoor has shown that you don't > even need to compromise Joe; a hit on the tarball that Joe uses is > sufficient. Yes. Exactly. That is precisely the security trade off that I see. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>