New supply-chain security tool: backseat-signed
Adrian Bunk
bunk at debian.org
Fri Apr 5 00:14:41 UTC 2024
On Fri, Apr 05, 2024 at 01:30:51AM +0200, kpcyrd wrote:
> On 4/5/24 12:31 AM, Adrian Bunk wrote:
> > Hashes of "git archive" tarballs are anyway not stable,
> > so whatever a maintainer generates is not worse than what is on Github.
> >
> > Any proper tooling would have to verify that the contents is equal.
> >
> > > ...
> > > Being able to disregard the compression layer is still necessary however,
> > > because Debian (as far as I know) never takes the hash of the inner .tar
> > > file but only the compressed one. Because of this you may still need to
> > > provide `--orig <path>` if you want to compare with an uncompressed tar.
> > > ...
> >
> > Right now the preferred form of source in Debian is an upstream-signed
> > release tarball, NOT anything from git.
> >
> > An actual improvement would be to automatically and 100% reliably
> > verify that a given tarball matches the commit ID and signed git tag
> > in an upstream git tree.
>
> I strongly disagree. I think the upstream signature is overrated.
The best we can realistically verify is that the code is from upstream.
> It's from the old mindset of code signing being the only way of securely
> getting code from upstream. Recent events have shown (instead of bothering
> upstream for signatures) it's much more important to have clarity and
> transparency what's in the code that is compiled into binaries and executed
> on our computers, instead of who we got it from.
>...
We do know that for the backdoored xz packages.
An intentional backdoor by upstream is not something we can
realistically defend against.
The tiny part of the whole xz backdoor that was only in the tarball
could instead also have been in git like the rest of the backdoor.
A "supply-chain security tool" that does not bring any improvement in
this case is just snake oil.
> cheers,
> kpcyrd
cu
Adrian
More information about the rb-general
mailing list