Include the name of the package being built in the debian tag message

Currently, the message in the debian tag is just:

  "Debian release %s" % cp.version

This is a bad idea, because it means that the signed message itself
contains no mention of the project that is being worked on.

Since all git repositories are conceptually the same git repository
(some just have commits that others don't have), a malicious attacker
could inject tags from project A into the repository for project B and
the original developer's signature on those tags would be intact.

This is potentially a security problem.  For example: if there are
automated build systems that pull from a repo and verify signed tags
made by a known developer (and that developer contributes to multiple
projects), this conflation could be used to make those systems build
packages from an entirely other project.

The attached patch enforces the inclusion of the name of the package
into the tag's message.

Closes: #704018

1 files changed, 1 insertions, 1 deletions

diff --git a/gbp/scripts/buildpackage.py b/gbp/scripts/buildpackage.py
index c021b866..bdb3177e 100755
--- a/gbp/scripts/buildpackage.py
+++ b/gbp/scripts/buildpackage.py
@@ -559,7 +559,7 @@ def main(argv):
             tag = repo.version_to_tag(options.debian_tag, cp.version)
             if options.retag and repo.has_tag(tag):
                 repo.delete_tag(tag)
-            repo.create_tag(name=tag, msg="Debian release %s" % cp.version,
+            repo.create_tag(name=tag, msg="%s Debian release %s" % (cp['Source'], cp.version),
                             sign=options.sign_tags, keyid=options.keyid)
             if options.posttag:
                 sha = repo.rev_parse("%s^{}" % tag)