'Re: Should we stop distributing source tarballs?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Juraj Oravec <jurajoravec () mailo ! com>
Date:       2024-04-05 7:23:55
Message-ID: 18615263.EB2kaUrQYE () juraj
[Download RAW message or body]


On piatok 5. apríla 2024 9:04:14 CEST Tobias Leupold wrote:
> Am 05.04.24 um 06:25 schrieb Juraj Oravec:
> > Hello Albert,
> > 
> > The release tarballs can be signed with GPG (or is it PGP?) which
> > provide another layer of protection to make sure the release is
> > authenthic.
> > 
> > If KDE wants to lead by example and use only git tags for releases,
> > at least the tags should be signed with GPG for verification.
> > 
> > It would be best to have all commits in the repository signed (in
> > Gitlab "Verified"). While we are unable to make sure that the
> > historical commits are also signed, since most of them are not, at
> > least new commits and tags should be signed. Maybe the commits can
> > be signed retrospectively (while breaking the repository history),
> > but this is probablôy just my dream.
> 
> If all commits in the xz repo would have been signed, the backdoor
> would have been sneaked in as well -- only that the commit would have
> been signed. Also if the tags would have been signed, the releases
> with the backdoor would have been published exactly as is -- only
> difference: The respective tags would have been signed.
> 
> Just sayin ...

You are correct, it would not solve a problem of corrupted tarballs. I 
am saying this for the "git tag" approach proposed in the first mail. How 
do we ensure that the repository was not tempered with by third party 
along the way by lets say governments or network companies? The 
governments wants (and in some states they already do) install a root 
certificates into your machines so that they can interfere in the 
encrypted https traffic. If the commits or at least tags are not signed, 
it makes it easy for them (in the name of safety) to redirect the 
packager or user to different server with tempered repository.

Noone will suspect anything since there is no mechanism to make sure it 
is authentic.

Other than hard working honest developers, nothing can protect us from 
the xz type of attack.

Juraj
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic