tag 704018 pending
thanks
Date: Tue Mar 26 17:41:53 2013 -0400
Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Commit ID: 4323cc8838ea53008e911811160182f975ffb360
Commit URL:
http://git.debian.org/?p=users/agx/git-buildpackage.git;a=commitdiff;h=4323cc8838ea53008e911811160182f975ffb360
Patch URL:
http://git.debian.org/?p=users/agx/git-buildpackage.git;a=commitdiff_plain;h=4323cc8838ea53008e911811160182f975ffb360
Include the name of the package being built in the debian tag message
Currently, the message in the debian tag is just:
"Debian release %s" % cp.version
This is a bad idea, because it means that the signed message itself
contains no mention of the project that is being worked on.
Since all git repositories are conceptually the same git repository
(some just have commits that others don't have), a malicious attacker
could inject tags from project A into the repository for project B and
the original developer's signature on those tags would be intact.
This is potentially a security problem. For example: if there are
automated build systems that pull from a repo and verify signed tags
made by a known developer (and that developer contributes to multiple
projects), this conflation could be used to make those systems build
packages from an entirely other project.
The attached patch enforces the inclusion of the name of the package
into the tag's message.
Closes: #704018
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
