Fabian Grünbichler writes ("Re: Bug#1127616: developers-reference: should
document using git-debpush to upload"):
> This is a red herring - binary artifacts (and other problematic files)
> can (and are) committed to git as well. Maintainers have to be vigilant
> in any case.
I agree that maintainers ought to check for this kind of thing. But
(a) tarballs contain random bad stuff *much* more often (b) checking
for them is much harder because they exist outside of version control.
I'm not saying git is a panacea, but it is significantly better.
> This argument also doesn't really hold for xz-style attacks - the generated
> tarball just happened to be the vehicle for transporting the payload in that
> particular case,
This was not happenstance. It was a deliberate subterfuge by the
attacker. No doubt if Debian hadn't been in the habit of importing
tarballs, the attack trigger would have been put into git somehow, but
doing that, and successfully evading detection, is rather harder than
in the tarball (where no-one is expecting, for example, that each
change comes with a human-readable explanation in the form of a commit
message).
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
