HW42 <h...@ipsumj.de> writes: > Russ Allbery: >> This attack is not equivalent to compromise of the uploader's OpenPGP >> key, which neither upload architecture defends against. Many Debian >> uploaders build source packages on less-trusted systems where they also >> build and test binary packages, and then sign the source package from a >> more-trusted system or use a hardware key.
> Is this really common practice that Debian uploaders sign (source) > packages they built on less-trusted systems? I have no idea if it's common practice, which to me that implies a majority or near majority. I have no data. I think "many" is correct based on the number of Debian uploaders who have said in various discussions over the years that they do this. > And, if yes: Why wouldn't they do the equivalent with the sources in git > (work on the less trusted system, transfer commits (git push/pull) to > the system with signing access and sign there, without review)? They will, I assume. But tag2upload requires that the malicious code that could be added during that process be pushed to Salsa or the signature will not validate and tag2upload will fail. My contention is that this makes detection of the attack easier. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
