Summary
The Debian kernel downloader currently fetches .deb packages from the Debian archive and extracts data.tar.* without validating the downloaded artifact's integrity first.
We should add integrity validation for downloaded kernel packages before extraction so the downloader can detect tampering, corruption, or unexpected content.
Why
The current implementation in sanitizer/hack/kernel/internal/debian/debian.go trusts the downloaded package body after the HTTP request succeeds. Adding verification would improve the security posture of the downloader and make failures explicit when the archive contents do not match trusted Debian metadata.
Affected area
sanitizer/hack/kernel/internal/debian/debian.go
- Debian archive download and extraction flow used by
Repository.FetchBundle
Proposed work
- Determine the trusted source of package integrity metadata for Debian kernel packages.
- Validate the downloaded kernel package against that metadata before extracting
data.tar.*.
- Prefer a verification mechanism based on Debian-provided metadata/signatures where feasible.
- Return a clear error when validation fails.
Acceptance criteria
- Downloaded Debian kernel packages are validated before extraction.
- Validation failure stops processing and returns a descriptive error.
- The implementation documents which metadata/signature source is trusted.
- Tests cover at least the success path and a checksum/signature mismatch path.
Backlinks
Requested by: @afritzler
Summary
The Debian kernel downloader currently fetches
.debpackages from the Debian archive and extractsdata.tar.*without validating the downloaded artifact's integrity first.We should add integrity validation for downloaded kernel packages before extraction so the downloader can detect tampering, corruption, or unexpected content.
Why
The current implementation in
sanitizer/hack/kernel/internal/debian/debian.gotrusts the downloaded package body after the HTTP request succeeds. Adding verification would improve the security posture of the downloader and make failures explicit when the archive contents do not match trusted Debian metadata.Affected area
sanitizer/hack/kernel/internal/debian/debian.goRepository.FetchBundleProposed work
data.tar.*.Acceptance criteria
Backlinks
Requested by: @afritzler