Re: Debian upload monitor
Enrico Zini <[EMAIL PROTECTED]> writes: > Whether it belongs to QA or ftp-master, is what I'm trying to find > out. May I suggest that each ACCEPTED mail sent by dak could include a list of the last n accepted packages. This way no extra active service would need to be established. n is either fixed (I feel 5 might be a reasonable value), or configurable somewhere. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian upload monitor
Enrico Zini wrote: For example, you have several IDs in your key. If I have reason to believe that you don't receive mail in one of them (for example, I can notice that a domain has expired, or I can send fake spam to all of them and see if one bounces), then I can use that address in Maintainer: and Changed-by:, and dak will mail there. But this is a deliberate policy decision, not a technical limitation, because these mails have been introduced for convenience, not as a security measure. In fact, presently, the sponsor mails are not sent if the keyholder's name (as put in projectb) appears in Changed-By or Maintainer, regardless of the mail address, so your scheme to 'circumvent' their sending is excessively complicated. But regardless of specific examples, this is an extra, complementary layer of security. The GPG key is our most important security token, and a way to track its usage is the least that we should have. Whether it belongs to QA or ftp-master, is what I'm trying to find out. Well, if there everyone wanted these mails, it would be trivial to send them unconditionally instead of conditionally. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian upload monitor
On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > On Thu, May 01, 2008 at 05:58:40PM +0100, Enrico Zini wrote: > > On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote: > > > > > Doesn't dak already send you an email when it processes an upload with > > > your > > > key? What exactly does this add on top of that functionality? > > > > The problem is that it seems to be possible to craft an upload that will > > send an email elsewhere so you won't notice it. > > > How so? I'm sure the dak maintainers would like to know of this. My > understanding is that dak does it like this: > > - extract ID of key used to sign upload > - lookup ID in Debian keyring Those things it does. > - determine Debian account associated with key ID > - send email to that Debian email (unless the uploader's email, as >noted in the changelog entry, is one of the ones explicitly listed in >the key) That it does very recently in case of sponsored uploads, but not for other uploads. It will always mail to the address in Changed-By. I think for normal source uploads it will also mail to the Maintainer, but I'm not sure about that. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian upload monitor
On Thu, May 01, 2008 at 11:39:32PM +0100, Enrico Zini wrote: > On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > > > I am curious how you could craft an upload that would use a key > > (ostensibly not your own, since you would know what you are uploading > > anyway) where you could use some random DD's key to do the upload > > without an email going to that DD. It seems like you would need to > > forge the GPG signature. > > For example, you have several IDs in your key. If I have reason to > believe that you don't receive mail in one of them (for example, I can > notice that a domain has expired, or I can send fake spam to all of them > and see if one bounces), then I can use that address in Maintainer: and > Changed-by:, and dak will mail there. > Yes, but it will also mail you at your @debian.org email since your key was used to sign the upload. The specific example you cite would happen regardless if you used any non-existent or bogus email address. > But regardless of specific examples, this is an extra, complementary > layer of security. The GPG key is our most important security token, > and a way to track its usage is the least that we should have. > > Whether it belongs to QA or ftp-master, is what I'm trying to find out. > Right. I am not really disputing the usefulness (it might be kind of neat to be able to map Maintainer/Changed-By addresses to the key(s) used to upload for those addresses. I was just wondering about how it might mean that something could be uploaded without an email going to some DD somewhere along the way. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Debian upload monitor
On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > I am curious how you could craft an upload that would use a key > (ostensibly not your own, since you would know what you are uploading > anyway) where you could use some random DD's key to do the upload > without an email going to that DD. It seems like you would need to > forge the GPG signature. For example, you have several IDs in your key. If I have reason to believe that you don't receive mail in one of them (for example, I can notice that a domain has expired, or I can send fake spam to all of them and see if one bounces), then I can use that address in Maintainer: and Changed-by:, and dak will mail there. But regardless of specific examples, this is an extra, complementary layer of security. The GPG key is our most important security token, and a way to track its usage is the least that we should have. Whether it belongs to QA or ftp-master, is what I'm trying to find out. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]> signature.asc Description: Digital signature
Re: Debian upload monitor
On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > I am curious how you could craft an upload that would use a key > (ostensibly not your own, since you would know what you are uploading > anyway) where you could use some random DD's key to do the upload > without an email going to that DD. It seems like you would need to > forge the GPG signature. Which seems, according to [1], one of the things the Enrico's monitor is supposed to permit detecting. An interesting intended usage IMO. The real point relevant to this mailing list is: are we interested in hosting the service under some of the QA service we have or not? If not we can let it go and, AFAIU, it can/will be hosted on ftp-master.d.o. If we are interested on the other hand we can host it. Speaking for the PTS side I don't think it would have any use there, as the PTS is mainly source package based; moreover, at that granularity the PTS already has the upload history and the corresponding RSS feed. IMO it will be very interesting to have this integrated in DDPO, has it is the one true Debian portal we have which is oriented toward a maintainer. Any other places we might benefit from this service? Cheers. [1]http://www.enricozini.org/2008/tips/audit-uploads.html -- Stefano Zacchiroli -*- PhD in Computer Science ... now what? [EMAIL PROTECTED],cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/ (15:56:48) Zack: e la demo dema ?/\All one has to do is hit the (15:57:15) Bac: no, la demo scema\/right keys at the right time signature.asc Description: Digital signature
Re: Debian upload monitor
On Thu, May 01, 2008 at 05:58:40PM +0100, Enrico Zini wrote: > On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote: > > > Doesn't dak already send you an email when it processes an upload with your > > key? What exactly does this add on top of that functionality? > > The problem is that it seems to be possible to craft an upload that will > send an email elsewhere so you won't notice it. > How so? I'm sure the dak maintainers would like to know of this. My understanding is that dak does it like this: - extract ID of key used to sign upload - lookup ID in Debian keyring - determine Debian account associated with key ID - send email to that Debian email (unless the uploader's email, as noted in the changelog entry, is one of the ones explicitly listed in the key) I am curious how you could craft an upload that would use a key (ostensibly not your own, since you would know what you are uploading anyway) where you could use some random DD's key to do the upload without an email going to that DD. It seems like you would need to forge the GPG signature. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Debian upload monitor
On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote: > Doesn't dak already send you an email when it processes an upload with your > key? What exactly does this add on top of that functionality? The problem is that it seems to be possible to craft an upload that will send an email elsewhere so you won't notice it. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]> signature.asc Description: Digital signature
Re: Debian upload monitor
Hi Enrico, On Thursday 1 May 2008 17:19, Enrico Zini wrote: > I've put together a little script that allow to monitor all uploads > performed with a GPG key. You can find the result at > http://merkel.debian.org/~enrico/keylog/ Doesn't dak already send you an email when it processes an upload with your key? What exactly does this add on top of that functionality? Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]