subject:"Tagging in Salsa \-> upload\: status\?"

Re: Tagging in Salsa -> upload: status?

2020-08-21 Thread Bastian Blank

On Thu, Aug 20, 2020 at 10:24:18AM +0200, Bernd Zeimetz wrote:
> On 8/19/20 7:28 PM, Ansgar wrote:
> > Well, I can't fix it without creating dgit-ng (and setting up
> > infrastructure for that) as dgit upstream won't accept patches from me.
> That is just one of the reasons why I think that salsa should be used
> for "official" services like tag2upload.

What should Salsa be used for?  And what do you mean with "should be
used"?  Everyone can already setup services running of Salsa projects
and integrate using various technics.

About tag2upload, there we never left the "how should it work" stage.
(Okay, some thing different, but those are the ones proposing a solution
without collecting requirements first.) Talking about where it should
run might influence the solution, but not overall feature set.

Bastian

-- 
Warp 7 -- It's a law we can live with.

Re: Tagging in Salsa -> upload: status?

2020-08-20 Thread Bernd Zeimetz




On 8/19/20 7:28 PM, Ansgar wrote:

> Well, I can't fix it without creating dgit-ng (and setting up
> infrastructure for that) as dgit upstream won't accept patches from me.

That is just one of the reasons why I think that salsa should be used
for "official" services like tag2upload.



-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Re: Tagging in Salsa -> upload: status?

2020-08-19 Thread Ansgar

On Wed, 2020-08-19 at 10:15 -0700, Sean Whitton wrote:
> On Fri 14 Aug 2020 at 09:04AM +02, Ansgar wrote:
> > There are also other issues such as the system seeming to accepting
> > uploads from known-compromised keys last I looked at it, though
> > maybe security experts disagree how much of an issue this is in
> > practice.
> 
> If what you say about known-compromised keys is true (I think I might
> know what you're alluding to but am not sure), then obviously such a
> bug could easily be fixed.

Well, I can't fix it without creating dgit-ng (and setting up
infrastructure for that) as dgit upstream won't accept patches from me.

Ansgar

Re: Tagging in Salsa -> upload: status?

2020-08-19 Thread Sean Whitton

Hello Ansgar,

On Fri 14 Aug 2020 at 09:04AM +02, Ansgar wrote:

> There are also other issues such as the system seeming to accepting
> uploads from known-compromised keys last I looked at it, though maybe
> security experts disagree how much of an issue this is in practice.

If what you say about known-compromised keys is true (I think I might
know what you're alluding to but am not sure), then obviously such a bug
could easily be fixed.

-- 
Sean Whitton

signature.asc
Description: PGP signature

Re: Tagging in Salsa -> upload: status?

2020-08-19 Thread Sean Whitton

Hello Holger,

On Thu 13 Aug 2020 at 10:27PM GMT, Holger Levsen wrote:

> hi Sean,
>
> On Thu, Aug 13, 2020 at 02:22:15PM -0700, Sean Whitton wrote:
>> (It's worth noting that unlike salsa tags, the tags on dgit.debian.org
>> are immutable.  The maintainer pushes a tag to salsa but tag2upload
>> copies it to dgit.debian.org, where it becomes a permanent record.)
>
> how is that achieved technically? surely you thought about someone breaking
> into dgit.d.o and modifying stuff...?! :)

Rendering the tags even harder to delete is certainly an avenue for
future development.

At present, someone breaking into dgit.d.o could delete them, but
someone who breaks into ftp-master could deleted signed .dscs, so
there's no regression.

-- 
Sean Whitton

signature.asc
Description: PGP signature

Re: Tagging in Salsa -> upload: status?

2020-08-14 Thread Ansgar

Sean Whitton writes:
> Ian and I implemented something along these lines last summer and it's
> available to try from the archive; here is how:
> 
>
> As to the current status: FTP Team members objected to having
> uploader-signed git tags on dgit.debian.org be the canonical record of
> an uploader's intended source package (rather than uploader-signed .dsc
> files stored on other servers), and they objected to the ways in which
> the system relies on git SHA1 hashes.
>
> I still believe that the design is sound and deploying the system can
> and should go ahead, but we could not overcome the disagreement.

There are also other issues such as the system seeming to accepting
uploads from known-compromised keys last I looked at it, though maybe
security experts disagree how much of an issue this is in practice.

Ansgar

Re: Tagging in Salsa -> upload: status?

2020-08-13 Thread Holger Levsen

hi Sean,

On Thu, Aug 13, 2020 at 02:22:15PM -0700, Sean Whitton wrote:
> (It's worth noting that unlike salsa tags, the tags on dgit.debian.org
> are immutable.  The maintainer pushes a tag to salsa but tag2upload
> copies it to dgit.debian.org, where it becomes a permanent record.)

how is that achieved technically? surely you thought about someone breaking
into dgit.d.o and modifying stuff...?! :)

-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Moral, truth, long term- and holistic thinking seem to mean nothing to us. The
emperors are naked. Every single one. It turns out our whole society is just
one big nudist party. (Greta Thunberg about the world reacting to the corona
crisis but not reacting appropriatly to the climate crisis.)

signature.asc
Description: PGP signature

Re: Tagging in Salsa -> upload: status?

2020-08-13 Thread Sean Whitton

Hello Thomas,

On Thu 13 Aug 2020 at 10:36PM +02, Thomas Goirand wrote:

> On 8/13/20 10:07 PM, Sean Whitton wrote:
>>
>> As to the current status: FTP Team members objected to having
>> uploader-signed git tags on dgit.debian.org be the canonical record of
>> an uploader's intended source package (rather than uploader-signed .dsc
>> files stored on other servers)
>
> Did you think about ways to workaround this, for example, by having some
> signed content in the signed git tag comment? For example, how about a
> signature for the .dsc file stored in it, and having the package
> reproducible (and making sure it is in the build process)? Or is the
> intend to avoid completely building packages on DDs laptop? In such
> case, a signature of the debian/changelog could do?

Once you go down that road you basically end up with `dgit push-source`
which already exists and works well.

What would be worth having in addition to `dgit push-source` would be
source-only uploads triggered by the pure git operation of pushing a
signed tag to salsa, such that the entire package build chain occurs on
Debian-controlled hosts with a signed git tree as input, rather than the
current situation where various things happen on random DD laptops, even
for source-only uploads.

As I mentioned, the issue was that FTP Team members were unhappy with
how someone who wanted to verify uploader intent would need to fetch
tags from a git server as opposed to downloading .dsc files.

(It's worth noting that unlike salsa tags, the tags on dgit.debian.org
are immutable.  The maintainer pushes a tag to salsa but tag2upload
copies it to dgit.debian.org, where it becomes a permanent record.)

>> and they objected to the ways in which
>> the system relies on git SHA1 hashes.
>>
>> I still believe that the design is sound and deploying the system can
>> and should go ahead, but we could not overcome the disagreement.
>
> Is there a workaround that git SHA1 weakness? Would it still be valid
> with my suggestion above?

Well, Ian and I do not think the issues with git and SHA1 are valid for
the ways in which git-debpush and tag2upload use git.  Several DDs who
are security experts (as indeed Ian is) analysed our design and agreed
with us.

The workarounds we came up with would compromise the simplicity and
usability of the system we came up with, so given that we do not think
that SHA1 worries are valid, we didn't consider any of them viable.

-- 
Sean Whitton

signature.asc
Description: PGP signature

Re: Tagging in Salsa -> upload: status?

2020-08-13 Thread Thomas Goirand

On 8/13/20 10:07 PM, Sean Whitton wrote:
> Hello Didier, Christian,
> 
> On Thu 13 Aug 2020 at 09:08PM +02, Didier 'OdyX' Raboud wrote:
> 
>> Le jeudi, 13 août 2020, 11.19:59 h CEST Christian Kastner a écrit :
>>> Unless I'm grievously misremembering something, there was a discussion a
>>> while ago about automatically generating a source package and uploading
>>> it whenever a Debian release is (signed-)tagged in Salsa.
>>>
>>> If I did remember correctly: may I kindly inquire what the status on
>>> that is?
>>
>> I think I was the one with that idea [0], and I threw around some code last
>> winter, but I never really finished this; as I've stuck to using `dgit push-
>> source` for now.
>>
>> The idea would be to have: a `dgit tag-source-for-upload`, which produces a
>> tag with all the metadata needed by a knowledgeable tag consumer to reproduce
>> a signed .dsc + a signed _source.changes. That knowledgeable tag consumer
>> would run at the end of a salsa pipeline.
> 
> Ian and I implemented something along these lines last summer and it's
> available to try from the archive; here is how:
> 
> 
> As to the current status: FTP Team members objected to having
> uploader-signed git tags on dgit.debian.org be the canonical record of
> an uploader's intended source package (rather than uploader-signed .dsc
> files stored on other servers)

Did you think about ways to workaround this, for example, by having some
signed content in the signed git tag comment? For example, how about a
signature for the .dsc file stored in it, and having the package
reproducible (and making sure it is in the build process)? Or is the
intend to avoid completely building packages on DDs laptop? In such
case, a signature of the debian/changelog could do?

> and they objected to the ways in which
> the system relies on git SHA1 hashes.
> 
> I still believe that the design is sound and deploying the system can
> and should go ahead, but we could not overcome the disagreement.

Is there a workaround that git SHA1 weakness? Would it still be valid
with my suggestion above?

Cheers,

Thomas Goirand (zigo)

Re: Tagging in Salsa -> upload: status?

2020-08-13 Thread Sean Whitton

Hello Didier, Christian,

On Thu 13 Aug 2020 at 09:08PM +02, Didier 'OdyX' Raboud wrote:

> Le jeudi, 13 août 2020, 11.19:59 h CEST Christian Kastner a écrit :
>> Unless I'm grievously misremembering something, there was a discussion a
>> while ago about automatically generating a source package and uploading
>> it whenever a Debian release is (signed-)tagged in Salsa.
>>
>> If I did remember correctly: may I kindly inquire what the status on
>> that is?
>
> I think I was the one with that idea [0], and I threw around some code last
> winter, but I never really finished this; as I've stuck to using `dgit push-
> source` for now.
>
> The idea would be to have: a `dgit tag-source-for-upload`, which produces a
> tag with all the metadata needed by a knowledgeable tag consumer to reproduce
> a signed .dsc + a signed _source.changes. That knowledgeable tag consumer
> would run at the end of a salsa pipeline.

Ian and I implemented something along these lines last summer and it's
available to try from the archive; here is how:

As to the current status: FTP Team members objected to having
uploader-signed git tags on dgit.debian.org be the canonical record of
an uploader's intended source package (rather than uploader-signed .dsc
files stored on other servers), and they objected to the ways in which
the system relies on git SHA1 hashes.

I still believe that the design is sound and deploying the system can
and should go ahead, but we could not overcome the disagreement.

-- 
Sean Whitton

signature.asc
Description: PGP signature

Re: Tagging in Salsa -> upload: status?

2020-08-13 Thread Didier 'OdyX' Raboud

Le jeudi, 13 août 2020, 11.19:59 h CEST Christian Kastner a écrit :
> Unless I'm grievously misremembering something, there was a discussion a
> while ago about automatically generating a source package and uploading
> it whenever a Debian release is (signed-)tagged in Salsa.
> 
> If I did remember correctly: may I kindly inquire what the status on
> that is?

I think I was the one with that idea [0], and I threw around some code last 
winter, but I never really finished this; as I've stuck to using `dgit push-
source` for now.

The idea would be to have: a `dgit tag-source-for-upload`, which produces a 
tag with all the metadata needed by a knowledgeable tag consumer to reproduce 
a signed .dsc + a signed _source.changes. That knowledgeable tag consumer 
would run at the end of a salsa pipeline.

But I am not at all perl fluent, and have stalled with a partial python-based 
proof-of-concept, sadly.

-- 
OdyX

[0] https://lists.debian.org/debian-devel/2019/10/msg00301.html

Tagging in Salsa -> upload: status?

2020-08-13 Thread Christian Kastner

Unless I'm grievously misremembering something, there was a discussion a
while ago about automatically generating a source package and uploading
it whenever a Debian release is (signed-)tagged in Salsa.

If I did remember correctly: may I kindly inquire what the status on
that is?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Re: Tagging in Salsa -> upload: status?

Tagging in Salsa -> upload: status?

12 matches

Site Navigation

Mail list logo

Footer information