Hi Daniel,
Thanks for your patch. Some questions/comments below.
On Tue, Mar 26, 2013 at 05:41:53PM -0400, Daniel Kahn Gillmor wrote:
> Package: git-buildpackage
> Version: 0.6.0~git20120601
> Severity: normal
> Tags: patch
>
> Currently, the message in the debian tag is just:
>
> "Debian release %s" % cp.version
>
> This is a bad idea, because it means that the signed message itself
> contains no mention of the project that is being worked on.
We had a complained that this is already too much information (juat
cp.version was deemed enough).
> Since all git repositories are conceptually the same git repository
> (some just have commits that others don't have), a malicious attacker
> could inject tags from project A into the repository for project B and
> the original developer's signature on those tags would be intact.
Given that he has commit access to that repo.
> This is potentially a security problem. For example: if there are
> automated build systems that pull from a repo and verify signed tags
> made by a known developer (and that developer contributes to multiple
> projects), this conflation could be used to make those systems build
> packages from an entirely other project.
Assuming you don't check that the commit you build can reach the
debian branch head.
> The attached patch enforces the inclusion of the name of the package
> into the tag's message.
I'm not convinced that this helps an automated build system. Isn't this
just a hint (that can be enforced by a commit hook). It certainly eases
the detection that the commit belongs to the package. But if we're
really after security here we should also document a proper setup for
automated builds, otherwise the fix isn't useful as is. What workflow is
on your mind?
Cheers,
-- Guido
>
> Regards,
>
> --dkg
>
>
> -- System Information:
> Debian Release: 7.0
> APT prefers testing
> APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages git-buildpackage depends on:
> ii devscripts 2.12.6
> ii git 1:1.7.10.4-1+wheezy1
> ii python 2.7.3-4
> ii python-dateutil 1.5+dfsg-0.1
> ii python2.6 2.6.8-1.1
> ii python2.7 2.7.3-6
>
> Versions of packages git-buildpackage recommends:
> pn cowbuilder <none>
> ii pristine-tar 1.25
>
> Versions of packages git-buildpackage suggests:
> pn python-notify <none>
> ii unzip 6.0-8
>
> -- debconf-show failed
> diff --git a/gbp/scripts/buildpackage.py b/gbp/scripts/buildpackage.py
> index 4137e66..f738f97 100755
> --- a/gbp/scripts/buildpackage.py
> +++ b/gbp/scripts/buildpackage.py
> @@ -551,7 +551,7 @@ def main(argv):
> tag = repo.version_to_tag(options.debian_tag, cp.version)
> if options.retag and repo.has_tag(tag):
> repo.delete_tag(tag)
> - repo.create_tag(name=tag, msg="Debian release %s" % cp.version,
> + repo.create_tag(name=tag, msg="%s Debian release %s" %
> (cp['Source'], cp.version),
> sign=options.sign_tags, keyid=options.keyid)
> if options.posttag:
> sha = repo.rev_parse("%s^{}" % tag)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
