During the peripheral beer-drinking of the SUCON '04, a colleage of mine raised the concern that Debian stable includes binary code compiled on untrusted machines. I would like to herewith propose to change that for the future. An upload to Debian consists of a binary and source package. The binary is included primarily to ensure that the uploader verified the build. However, it is also used to take load of the autobuilders. Thus, for every upload, only 10 of the 11 architectures need to be built; the binary for the uploader's architecture is channeled to the archive without modification. This opens the possibility that the binary stems from a different source than the source package provides. Thus, a trojan could make it to the archive without being detected, and even though only one architecture would then be affected, it's a grave security problem. Even if the builder did not knowingly upload a trojan, his/her build environment could be contaminated. I think that the Debian autobuilders should compile the DEB files for *all* architectures. The binary upload should still be required for the aforementioned reasons, but it should not make it to the archive. Since I assume that most binaries accompanying a source upload are i386, this would possibly require us to stock up on the i386 autobuilder(s), which is the least of a problem. I would say this requires little changes and causes a great increase in the security and trustworthiness of the Debian archive. Or, put differently, if companies find out that the binaries they install were compiled on home-user PCs without special precautions, Debian won't exactly gain popularity. Comments welcome. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature