On Jun 25, 2024 5:50 PM, Russ Allbery <r...@debian.org> wrote:
> > Thomas Goirand <z...@debian.org> writes: > > On 6/25/24 11:56, Matthias Urlichs wrote: > > It's 3rd party in the sense that the person uploading isn't generating > > or even signing the source package. > > The 1st party vs. 3rd party language is always murky, and I'm not sure how > useful it is. (For example, who is the 2nd party? Isn't the Debian > archive and its surrounding machinery 2nd party, not 3rd party?) Obiously, 2nd party is DAK and the buildds. > The tag2upload proposal moves the source package build from 1 to 2. NO ! That is NOT what you are proposing. There's been a 10 years long effort to have package reproducibility, your proposal is trowing all away. How does one check the reproducibility of git to source package transformation? If we were signing source packages manifests locally, then tag2upload were also producing it, check it is the same as in the pushes tag, and used the sgnature, then we'd be good. But you don't want this because: - you feel it is not convenient - it is hard to implement > It's blind in the same sense that the amd64 buildd is blind. It is not blind 96% of the times, when a package is reproducible. Let's fix the last 4%... > There are a > bunch of logs that you can go look at if you want to, but people generally > won't unless they think there's some sort of problem. There is a reproducible build CI and its results are one everyones QA page to skim fast... > > > https://isdebianreproducibleyet.com/ > > As an aside, I'm not sure there's any ethical way to do this (and any way > to do this that doesn't result in people panicking about a test), but the > security person in me badly wants to run a red team exercise with > reproducible binary builds. If we intentionally introduce a (benign) bit > of code into an amd64 binary build without anyone involved in either > reproducible builds or maintenance of that package knowing, how long would > it take for this to be flagged as a possible compromise? Are you hereby vouching for reproducibility to become RC bugs? I am... it's been long enough! > > I expect that the vast majority of DDs are using sbuild on their > > laptops. > > I would be stunned if this were the case. I am, and it was not trivial to > set up, finding the right instructions took me a bit, and I am dubious > that many people bothered. None of the people whose packages I've > sponsored have ever used sbuild so far as I know. If we check for reproducibility that is a non-issue. > My recollection is that the source package > build is normally done outside sbuild and then copied into it. I believe so too, but that could be changed. And that is one more good reason to have both DDs and tag2upload to produce the source package manifests so they can be checked for identicality. > "Proven" to me implies that we have an implementation of tag2upload that > has better security properties. Watch the Kosovo lightning talk where Didier shows what he did. It is a proven concept. Cheers, Thomas Goirand (zigo)
