On 17.06.24 20:56, Russ Allbery wrote:
Well, if the maintainers system is broken in, it makes no difference if a git tag or a dsc or whatever else is signed.This is more true than I would like it to be,
On the other hand, a signed git tag doesn't merely track a set of files; it also tracks their history. You can thus go to Salsa and verify that e.g. the emergency NMU which I pushed to $Package yesterday only contains one commit on top of the maintainer's and changes only this one file (OK two if we consider d/changelog).
Or, I can look at my package's git history (something which I frequently do) and go into panic mode when I see a spurious/suspicious change to src/util/securitycheck.c in there.
While in principle it's possible to do the same thing by downloading two sets of $Package-*.debian.tar.gz files from archive.d.o, unpacking them, and running "diff -r", that's two orders of magnitude more work, might require deciphering cryptic diff-of-diffs gibberish, and doesn't have a nice web frontend you can link to in your NMU bug, which means that nobody's going to do it. Thus it's far more likely that the backdoor which $BadPerson inserted into my upload will go undetected.
The t2u output, in turn, can easily be verified. Clone the tag, run dgit, compare with "apt-get source" artifacts.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
