From d85adb9b934fc9290d36f340f55ab658f33552e8 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Sun, 12 Feb 2023 18:43:42 +0100 Subject: [PATCH] README: Leave notice on inherit integrity weaknesses of repo fetches Neither git nor hg currently provide a production-ready replacement for weak SHA-1 commit IDs. Furthermore, kas mixes commit IDs and symbolic commit names in refspec. This permits attackers who gained control over a repository that kas fetches from to present manipulated content without kas noticing this. Aditya Sirish A Yelgundhalli recently reported one potential attack scenario, using branches that shadow commit IDs. While trying to mitigate this particular case, it became clear that there is no simple solutions with the given tools and interfaces. For now, warn prominently that only trusted sources should be used. There are extensions planned to address the issue at its root, likely by introducing content checksums. Signed-off-by: Jan Kiszka --- README.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.rst b/README.rst index 5d2547d..0d95961 100644 --- a/README.rst +++ b/README.rst @@ -31,3 +31,12 @@ Key features provided by the build tool: - initiate bitbake build process See the `kas documentation `_ for further details. + +SECURITY NOTICE +--------------- + +At this stage, kas does not validate the integrity of fetched repositories. +Make sure to only pull from trusted sources to ensure that the selected +revisions are the expected ones, specifically when using mirrors. Later +versions of kas may introduce integrity validation mechanisms such as +cryptographic checksums to strengthen supply chain security.