Re: seconded Re: Bits (Nybbles?) from the Vancouver release team meeting

To: debian-devel@lists.debian.org
Subject: Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
From: Matthias Urlichs <smurf@smurf.noris.de>
Date: Thu, 17 Mar 2005 01:10:53 +0100
Message-id: <[🔎] pan.2005.03.17.00.10.53.243463@smurf.noris.de>
References: <20050314044505.GA5157@mauritius.dodds.net> <[🔎] 20050315212658.GA3935@opalsys.net> <[🔎] 42379544.4040605@azure.humbug.org.au> <[🔎] 1110977747.9135.15.camel@country.grep.be> <[🔎] 1110979406.13212.194.camel@flotta.cambridgebroadband.com> <[🔎] pan.2005.03.16.14.27.27.191990@smurf.noris.de> <[🔎] 20050316185556.GC4365@opalsys.net>

Hi, Ola Lundqvist wrote:

> Hello
> 
> On Wed, Mar 16, 2005 at 03:27:27PM +0100, Matthias Urlichs wrote:
>> Hi, Rob Taylor wrote:
>> 
>> > Do you think it might be better have a trusted builder keyring, with
>> > strict rules on what makes a trusted builder (it seems rather a
>> > different set of issues to that addressed by the DD criterion)?
>> 
>> That makes sense -- but only if Debian switches to source-only uploads.
> 
> Why is source-only uploads needed for this?
> 
I didn't say it was needed, I said it doesn't make sense.

Either anybody can build and upload anything -- then strict rules
and checks are overkill.

Or packages are built by firewalled trusted build systems. That doesn't
make sense to do that only when we feel like it -- if we have to have
"build machines need to be secure systems" rules, these should be applied
to every package, with the possible exclusion of "real" binNMUs.

At the moment we basically trust every DD not to have a compromised
machine (or, horrors, a malicious DD) -- worse, we ignore the possibility
of binary Trojans, which aren't evident from source code and thus much
harder to track down if something happens. I think that, long-term, this
might be a bit too risky.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf@smurf.noris.de

Reply to:

Follow-Ups:
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Ola Lundqvist <opal@debian.org>
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Wouter Verhelst <wouter@debian.org>
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Rob Taylor <robtaylor@floopily.org>
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Ola Lundqvist <opal@debian.org>

Prev by Date: Re: .d.o machines which are down (Re: Questions for the DPL candidates)
Next by Date: Re: .d.o machines which are down (Re: Questions for the DPL candidates)
Previous by thread: Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
Next by thread: Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting
Index(es):
- Date
- Thread

Re: *seconded* Re: Bits (Nybbles?) from the Vancouver release team meeting

Re: seconded Re: Bits (Nybbles?) from the Vancouver release team meeting