Bug#958559: debian-kernel-handbook: document how to verify authenticity of git sources

[Ben Hutchings]

Control: tag -1 pending

On Sat, 2020-04-25 at 23:01 +0100, Ben Hutchings wrote:
> On Thu, 2020-04-23 at 19:30 +0200, Christoph Anton Mitterer wrote:
> [...]
> > It would be nice if the handbook tells people how to verify their
> > repos by proper git means, i.e. verify signautres on tags.
> 
> Yes, definitely.

I've finally got back to looking at the wording here.

The one place we refer to
 is in the section
"Building a development version of the Debian kernel package".  This is
about building unreleased changes, which of course are not tagged.  I
don't think we can reasonably give instructions for verifying them.

For ,
I have changed the URL to use "https:" and changed the instructions to
include tag verification with the aid of the Debian source package. 
It's annoyingly complex but should work:
https://kernel-team.pages.debian.net/kernel-handbook/ch-bugs.html#s9.2.1

Ben.

-- 
Ben Hutchings
Unix is many things to many people,
but it's never been everything to anybody.


signature.asc
Description: This is a digitally signed message part

Bug#958559: debian-kernel-handbook: document how to verify authenticity of git sources

[Ben Hutchings]

On Thu, 2020-04-23 at 19:30 +0200, Christoph Anton Mitterer wrote:
[...]
> It would be nice if the handbook tells people how to verify their
> repos by proper git means, i.e. verify signautres on tags.

Yes, definitely.

> At least for (2), Linus signs the tags, and the Debian kernel source
> package contains Linus' and Greg's keys, so a user could at least
> quite simply verify everything up to and including the repective tag.
>
>
> For the (1) I guess you guys don't use signatures, though. :-/

All but 2 of the tags we've made since converting from Subversion to
git are signed.

Ben.

-- 
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.




signature.asc
Description: This is a digitally signed message part

Bug#958559: debian-kernel-handbook: document how to verify authenticity of git sources

[Christoph Anton Mitterer]

Package: debian-kernel-handbook
Version: 1.0.19
Severity: normal


Hi.

The handbook seems to use two git repos:
1) https://salsa.debian.org/kernel-team/linux.git
   for Debian's packaging itself
2) git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
   for the upstream soruces, e.g. when building packages for a newer
   vanilla version, or when bisecting


In both cases, the user would compile/execute code, which is effectively
unauthenticated and thus subject to all kinds of forgery


Sure, (1) uses TLS, but given the extreme weakness of the
whole X.509 ecosystem, with ~150 CAs many of them extremely
untrustworthy or situated in countries known to abuse these
CAs for hacking... and several thousands of intermediate CAs...
it's effectively the same as unauthenticated.

(2) even uses a plain git:// URL which is not even HTTPS protected.




It would be nice if the handbook tells people how to verify their
repos by proper git means, i.e. verify signautres on tags.

At least for (2), Linus signs the tags, and the Debian kernel source
package contains Linus' and Greg's keys, so a user could at least
quite simply verify everything up to and including the repective tag.


For the (1) I guess you guys don't use signatures, though. :-/



Cheers,
Chris