README: Leave notice on inherit integrity weaknesses of repo fetches

Neither git nor hg currently provide a production-ready replacement for weak SHA-1 commit IDs. Furthermore, kas mixes commit IDs and symbolic commit names in refspec. This permits attackers who gained control over a repository that kas fetches from to present manipulated content without kas noticing this. Aditya Sirish A Yelgundhalli recently reported one potential attack scenario, using branches that shadow commit IDs. While trying to mitigate this particular case, it became clear that there is no simple solutions with the given tools and interfaces. For now, warn prominently that only trusted sources should be used. There are extensions planned to address the issue at its root, likely by introducing content checksums. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-12 18:43:42 +01:00 · 2023-02-12 18:43:42 +01:00 · d85adb9b93
commit d85adb9b93
parent 78084c05bb
1 changed files with 9 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -31,3 +31,12 @@ Key features provided by the build tool:
 - initiate bitbake build process

 See the `kas documentation <https://kas.readthedocs.io>`_ for further details.
+
+SECURITY NOTICE
+---------------
+
+At this stage, kas does not validate the integrity of fetched repositories.
+Make sure to only pull from trusted sources to ensure that the selected
+revisions are the expected ones, specifically when using mirrors. Later
+versions of kas may introduce integrity validation mechanisms such as
+cryptographic checksums to strengthen supply chain security.