Re: Compromising Debian Repositories

To: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: Joe <joe@jretrading.com>
Date: Mon, 5 Aug 2013 21:11:21 +0100
Message-id: <[🔎] 20130805211121.4c397073@jretrading.com>
In-reply-to: <[🔎] 85k3k0tuv2.fsf@boum.org>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] 51FCCA78.5080604@riseup.net> <[🔎] 20130803101706.GA363@dingens.org> <[🔎] 51FCDDAA.3080208@riseup.net> <[🔎] 20130803112956.GA5775@dingens.org> <[🔎] 51FDC4C1.7050307@riseup.net> <[🔎] 85li4hx5b0.fsf@boum.org> <[🔎] 51FE0CF8.9090702@stranner.org> <[🔎] b31dba54-fd0c-11e2-a173-001cc0cda50c@msgid.mathom.us> <[🔎] CAKhc=u4DAm-UeMqpb5ow2kr37Wpr9ZmUAPpo1AuJwCZj7hPLdA@mail.gmail.com> <[🔎] 51FEC685.3020803@riseup.net> <[🔎] 85k3k0tuv2.fsf@boum.org>

On Mon, 05 Aug 2013 10:17:05 +0200
intrigeri <intrigeri@debian.org> wrote:

> Hi,
> 
> I need a reality check, as it's unclear to me what are the goals of
> this discussion.
> 
> Does anyone involved plan to work on improving things, and then we're
> discussing where it would be best to focus their energy? If that's the
> case, then I suggest we try to design solutions with baby steps that
> can realistically be implemented on the short term.
> 
> Or is the goal simply to assess the security of our current
> infrastructure in various threat models? If that's the case, then how
> about clearly writing these threat models so that we can then reason
> on the same basis?
> 
> Or is the goal something entirely different that I missed?
> 
>

I don't think there is a goal, I think we are all ruefully conceding
that the much-vaunted Open Source process is simply unable to deliver
trustworthy code, since the process of compiling the Open Sources
to binary involves using utterly un-auditable binaries, running on
un-auditable processors manufactured by a very small number of
companies.

We can also assume that if something is technically possible, perhaps
involving the outright purchase or intimidation of a few hundred humans,
then the largest organised crime syndicates on the planet (a.k.a.
governments) will do it.

-- 
Joe

Reply to:

Follow-Ups:
- Re: Compromising Debian Repositories
  - From: Michael Stone <mstone@debian.org>

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: intrigeri <intrigeri@debian.org>
- Re: Compromising Debian Repositories
  - From: Heimo Stranner <heimo@stranner.org>
- Re: Compromising Debian Repositories
  - From: Michael Stone <mstone@debian.org>
- Re: Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Re: [SECURITY] [DSA 2734-1] wireshark security update
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread