Should we stop distributing source tarballs?
Juraj Oravec
jurajoravec at mailo.com
Fri Apr 5 08:23:55 BST 2024
On piatok 5. apríla 2024 9:04:14 CEST Tobias Leupold wrote:
> Am 05.04.24 um 06:25 schrieb Juraj Oravec:
> > Hello Albert,
> >
> > The release tarballs can be signed with GPG (or is it PGP?) which
> > provide another layer of protection to make sure the release is
> > authenthic.
> >
> > If KDE wants to lead by example and use only git tags for releases,
> > at least the tags should be signed with GPG for verification.
> >
> > It would be best to have all commits in the repository signed (in
> > Gitlab "Verified"). While we are unable to make sure that the
> > historical commits are also signed, since most of them are not, at
> > least new commits and tags should be signed. Maybe the commits can
> > be signed retrospectively (while breaking the repository history),
> > but this is probablôy just my dream.
>
> If all commits in the xz repo would have been signed, the backdoor
> would have been sneaked in as well -- only that the commit would have
> been signed. Also if the tags would have been signed, the releases
> with the backdoor would have been published exactly as is -- only
> difference: The respective tags would have been signed.
>
> Just sayin ...
You are correct, it would not solve a problem of corrupted tarballs. I
am saying this for the "git tag" approach proposed in the first mail. How
do we ensure that the repository was not tempered with by third party
along the way by lets say governments or network companies? The
governments wants (and in some states they already do) install a root
certificates into your machines so that they can interfere in the
encrypted https traffic. If the commits or at least tags are not signed,
it makes it easy for them (in the name of safety) to redirect the
packager or user to different server with tempered repository.
Noone will suspect anything since there is no mechanism to make sure it
is authentic.
Other than hard working honest developers, nothing can protect us from
the xz type of attack.
Juraj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240405/8653dc21/attachment-0001.sig>
More information about the kde-devel
mailing list