Simon Josefsson writes ("Bug#1111319: Permissions on your gsasl fork on salsa
(was Re: Bug#1111319: git-debpush should somehow perform https repo
availability check)"):
> Yeah, I realized this earlier but forgot about it. I think this is a
> mild security problem: salsa seems to leak tags pushed to private git
> repos to the tag2upload service. The webhook configuration should not
> trigger for private repositories, I think? I doubt anything on salsa
> could be assumed to stay private, but it seems like a design concern. I
> don't think the tag2upload service should change, but the webhook on
> salsa should be fixed to not send non-public tags in the first place.
We've thought about this and personally I think the current situation
is OK. In fact, salsa is sending a great deal more data to our
webhook than it ought to:
https://salsa.debian.org/salsa/support/-/issues/494
https://gitlab.com/gitlab-org/gitlab/-/issues/558030
But the HTTP transactions are secured via TLS and the tag2upload
service manager that is receiving them has quite a good level of
security. So yes, it's receiving some confidential information, but
this is only available to Sean and me (and to DSA admins), via the
manager's on-host debug log.
As for the public log: tags pushed to private repositories will be
reported in the public log only if they contain the "[dgit
please-upload]" instruction. (And even so the only public information
is the timestamp, repo URL, source package name, and version number.)
If you want to discuss this more, this bug report probably isn't the
right place.
> I tend to use personal forks on salsa for development reasons.
OK, just so long as that was intentional.
> As for UX, I think git-debpush pushes to the "right" git remote, at
> least in my experience. Which sometimes actually isn't the "real"
> Debian git repository (i.e., Vcs-* URL) but my own private fork,
> depending on how I checked out the branch. I haven't been surprised by
> its behaviour, and have learned to use --remote=origin when in doubt.
> It doesn't really matter which remote "wins" the tag2upload race, since
> I push the same tag to both places.
OK, good. So I think the check I'm asking for in this bug would sort
this out.
> Btw, is [email protected] publicly archived as a mailing list?
No. We've been using un-archived private email for "support" type
emails, and the BTS for things where we've identified a possible
improvement in git-debpush and/or the tag2upload service.
Thanks,
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
