Package: debian-kernel-handbook Version: 1.0.19 Severity: normal
Hi. The handbook seems to use two git repos: 1) https://salsa.debian.org/kernel-team/linux.git for Debian's packaging itself 2) git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git for the upstream soruces, e.g. when building packages for a newer vanilla version, or when bisecting In both cases, the user would compile/execute code, which is effectively unauthenticated and thus subject to all kinds of forgery Sure, (1) uses TLS, but given the extreme weakness of the whole X.509 ecosystem, with ~150 CAs many of them extremely untrustworthy or situated in countries known to abuse these CAs for hacking... and several thousands of intermediate CAs... it's effectively the same as unauthenticated. (2) even uses a plain git:// URL which is not even HTTPS protected. It would be nice if the handbook tells people how to verify their repos by proper git means, i.e. verify signautres on tags. At least for (2), Linus signs the tags, and the Debian kernel source package contains Linus' and Greg's keys, so a user could at least quite simply verify everything up to and including the repective tag. For the (1) I guess you guys don't use signatures, though. :-/ Cheers, Chris
