New supply-chain security tool: backseat-signed
kpcyrd
kpcyrd at archlinux.org
Thu Apr 4 23:30:51 UTC 2024
On 4/5/24 12:31 AM, Adrian Bunk wrote:
> Hashes of "git archive" tarballs are anyway not stable,
> so whatever a maintainer generates is not worse than what is on Github.
>
> Any proper tooling would have to verify that the contents is equal.
>
>> ...
>> Being able to disregard the compression layer is still necessary however,
>> because Debian (as far as I know) never takes the hash of the inner .tar
>> file but only the compressed one. Because of this you may still need to
>> provide `--orig <path>` if you want to compare with an uncompressed tar.
>> ...
>
> Right now the preferred form of source in Debian is an upstream-signed
> release tarball, NOT anything from git.
>
> An actual improvement would be to automatically and 100% reliably
> verify that a given tarball matches the commit ID and signed git tag
> in an upstream git tree.
I strongly disagree. I think the upstream signature is overrated.
It's from the old mindset of code signing being the only way of securely
getting code from upstream. Recent events have shown (instead of
bothering upstream for signatures) it's much more important to have
clarity and transparency what's in the code that is compiled into
binaries and executed on our computers, instead of who we got it from.
The entire reproducible builds effort is based on the idea of the source
code in Debian being safe and sound to use.
If upstream refused to sign anything but pre-compiled llvm IR, I'd put
both the IR and signature in the trash and build from source code.
If upstream wouldn't sign anything but autotools pre-processed archives
with 25k lines of auto-generated shell scripts I'd put it next to the IR
and build from the actual source code as well.
If upstream would only sign a tarball with files sorted in the order
they were returned by their kernel to readdir(), I'd raise the question
why we're having this in 2024 (and possibly suggest to use a tar with
sorted entries).
Although to be honest if this would really be the only problem we'd be
having, I'd likely not care anymore and put my time to better use.
> Or perhaps stop using tarballs in Debian as sole permitted
> form of source.
I'd be fine with that.
cheers,
kpcyrd
More information about the rb-general
mailing list