README: Leave notice on inherit integrity weaknesses of repo fetches
Neither git nor hg currently provide a production-ready replacement for weak SHA-1 commit IDs. Furthermore, kas mixes commit IDs and symbolic commit names in refspec. This permits attackers who gained control over a repository that kas fetches from to present manipulated content without kas noticing this. Aditya Sirish A Yelgundhalli recently reported one potential attack scenario, using branches that shadow commit IDs. While trying to mitigate this particular case, it became clear that there is no simple solutions with the given tools and interfaces. For now, warn prominently that only trusted sources should be used. There are extensions planned to address the issue at its root, likely by introducing content checksums. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This commit is contained in:
parent
78084c05bb
commit
d85adb9b93
@ -31,3 +31,12 @@ Key features provided by the build tool:
|
|||||||
- initiate bitbake build process
|
- initiate bitbake build process
|
||||||
|
|
||||||
See the `kas documentation <https://kas.readthedocs.io>`_ for further details.
|
See the `kas documentation <https://kas.readthedocs.io>`_ for further details.
|
||||||
|
|
||||||
|
SECURITY NOTICE
|
||||||
|
---------------
|
||||||
|
|
||||||
|
At this stage, kas does not validate the integrity of fetched repositories.
|
||||||
|
Make sure to only pull from trusted sources to ensure that the selected
|
||||||
|
revisions are the expected ones, specifically when using mirrors. Later
|
||||||
|
versions of kas may introduce integrity validation mechanisms such as
|
||||||
|
cryptographic checksums to strengthen supply chain security.
|
||||||
|
Loading…
Reference in New Issue
Block a user