README: Leave notice on inherit integrity weaknesses of repo fetches

Neither git nor hg currently provide a production-ready replacement for
weak SHA-1 commit IDs. Furthermore, kas mixes commit IDs and symbolic
commit names in refspec. This permits attackers who gained control over
a repository that kas fetches from to present manipulated content
without kas noticing this.

Aditya Sirish A Yelgundhalli recently reported one potential attack
scenario, using branches that shadow commit IDs. While trying to
mitigate this particular case, it became clear that there is no simple
solutions with the given tools and interfaces.

For now, warn prominently that only trusted sources should be used.
There are extensions planned to address the issue at its root, likely by
introducing content checksums.

Signed-off-by: Jan Kiszka <[email protected]>

Author: jan-kiszka

README.rst

@@ -31,3 +31,12 @@ Key features provided by the build tool:
 - initiate bitbake build process
 
 See the `kas documentation <https://kas.readthedocs.io>`_ for further details.
+
+SECURITY NOTICE
+---------------
+
+At this stage, kas does not validate the integrity of fetched repositories.
+Make sure to only pull from trusted sources to ensure that the selected
+revisions are the expected ones, specifically when using mirrors. Later
+versions of kas may introduce integrity validation mechanisms such as
+cryptographic checksums to strengthen supply chain security.