Re: buildd hosts

To: Mike Fedyk <mfedyk@matchmail.com>, debian-68k@lists.debian.org
Subject: Re: buildd hosts
From: Richard Zidlicky <Richard.Zidlicky@stud.informatik.uni-erlangen.de>
Date: Fri, 27 Apr 2001 12:03:16 +0200
Message-id: <20010427120315.C244@rz.informatik.uni-erlangen.de>
Mail-followup-to: Richard Zidlicky <rz>, Mike Fedyk <mfedyk@matchmail.com>, debian-68k@lists.debian.org
In-reply-to: <20010426115110.G22912@mikef-linux.matchmail.com>; from mfedyk@matchmail.com on Thu, Apr 26, 2001 at 11:51:10AM -0700
References: <20010426135156.K1603@muaddib.localnet> <200104261652.f3QGqYW18167@pier.ecn.purdue.edu> <20010426111550.D22912@mikef-linux.matchmail.com> <20010426132628.A3565@debian.org> <20010426115110.G22912@mikef-linux.matchmail.com>

On Thu, Apr 26, 2001 at 11:51:10AM -0700, Mike Fedyk wrote:
> On Thu, Apr 26, 2001 at 01:26:28PM -0500, Christian T. Steigies wrote:
> > On Thu, Apr 26, 2001 at 11:15:50AM -0700, Mike Fedyk wrote:
> > > On Thu, Apr 26, 2001 at 11:52:34AM -0500, Michael Shuey wrote:
> > > > I believe Mike isn't asking how I'd verify access for Debian developers on
> > > > my machine; he's asking how you Debian developers can prove that I haven't
> > > > modified my Mac to insert untrusted binaries into the distribution.  Keep
> > > > in mind I'm not a Debian developer, so my PGP keys aren't on the official
> > > > keyring.  I'm just some guy with a spare Mac. :-)
> > > > 
> > > Yes, that's it exactly...
> > These days most packages are built in a chroot. You don't know what a chroot
> > is? How do you want to put untrusted binaries in it ;-)
> 
> Yes, I know about chrooting, but not the intricacies of that environment.
> 
> I've read about modified compiler binaries producing more modified binaries.

the old KT login story? This will never work in practice.

> > Basically, the buildd maintainer on that machine installs another system
> > from scratch which runs inside your running linux by downloading packages
> > from the debian servers or by unpacking a prepared chroot onto your machine.
> > We trust Michael when he built that chroot.tgz (as Michael trusts me when
> > Roman and James wrote buildd and sbuild). And maybe you trust me when I
> > built the last base.tgz...
> > I think it'd be rather hard for you to get untrusted binaries into the
> > building system, not impossible, but a complete waste of time (who would be
> > hit by untrusted binaries after all? Only the buildd machines, or does any
> > serious business run on m68ks?). I think if somebody wanted to play jokes on
> > us, he'd pick any arch but m68k... (this is not an invitation!).
> 
> I know we're all volunteers, but this makes me wonder how hard it would be
> to really mess up the debian project like this.  I'm probably not the first
> to think of this too.

pretty easy I would say, at least 99% chance it is a compiler or other bug 
and not by intent. It seems to me that all distros are somewhat messed up
anyway :)

Bye
Richard

Reply to:

References:
- Re: buildd hosts
  - From: Ingo Juergensmann <ij@spice.cologne.de>
- Re: buildd hosts
  - From: Michael Shuey <shuey@ecn.purdue.edu>
- Re: buildd hosts
  - From: Mike Fedyk <mfedyk@matchmail.com>
- Re: buildd hosts
  - From: "Christian T. Steigies" <cts@debian.org>
- Re: buildd hosts
  - From: Mike Fedyk <mfedyk@matchmail.com>

Prev by Date: Re: Security? Re: Somebody build python2 for unstable (please, please!)
Next by Date: configure failing to decide compiler works
Previous by thread: Re: buildd hosts
Next by thread: configure failing to decide compiler works
Index(es):
- Date
- Thread