On June 25, 2024 9:02:45 AM UTC, Philip Hands <p...@hands.com> wrote:
>Scott Kitterman <deb...@kitterman.com> writes:
>
>> Do you have any examples of problems that this would have avoided
>> (xz-utils isn't one - due to the way it's releases are done, it
>> wouldn't be suitable for tag2upload)?
>
>I'm somehow reminded of Ignaz Semmelweis's attempts to improve medical
>hygiene by getting doctors to emulate the local midwives, who scrubbed
>their hands between patients, whereas the doctors generally didn't, and
>would alternate between performing autopsies and attending deliveries.
>
>I'd guess someone may well have pushed back against that, thus:
>
> Can you to name a single patient who has suffered as a result of
> existing practice?
>
>If I stretch that metaphor (possibly beyond breaking point), then one
>might think of our developers' laptops as the (potentially infected)
>cadavers, the newly uploaded source packages as the live births, and our
>tooling as the doctors' hands that may carry the infectious material
>from one to the other.
>
>I hope that we've been lucky enough to not actually have any of the
>relevant "infections" in the population of laptops that produce our
>packages, but would it not be wise to make it more difficult for such an
>infection to be silently transmitted?
>
>People state that a compromised machine can as easily commit malicious
>code to git as it could insert it into a source package, but the
>difference is that the malicious commit then needs to be pushed in
>order to work, exposing it to examination.
>
>In our metaphor perhaps the git commit step would equate to requiring
>doctors to touch a new Petri dish before each patient, which would at
>least record what was going on, and might give the opportunity to deal
>with the situation before real harm is done.
>
I don't disagree with any of that, in principle. I'm not against improvements
that help address security concerns that we believe are currently only
theoretical. I do think that the anti-source package rhetoric in the message I
was replying to was over the top.
Security is inevitably tied up in trade-offs. One of the trade-offs for
tag2upload as currently designed is the loss of any cryptographic connection
between the person that uploaded the package and the source package in the
Debian package archive.
I understand that different people will value that differently. My impression
is that the message I was responding to was essentially claiming that it's no
trade-off at all because, due to the massive risk of unknown transformations
when the source package is built, there's no value to the signature.
I think that's nonsense.
Scott K
