Re: Rebuilding packages on *all* architectures
martin f krafft <madduck@debian.org> writes:
> During the peripheral beer-drinking of the SUCON '04, a colleage of
> mine raised the concern that Debian stable includes binary code
> compiled on untrusted machines. I would like to herewith propose to
> change that for the future.
>
> An upload to Debian consists of a binary and source package. The
> binary is included primarily to ensure that the uploader verified
> the build. However, it is also used to take load of the
> autobuilders. Thus, for every upload, only 10 of the 11
> architectures need to be built; the binary for the uploader's
> architecture is channeled to the archive without modification.
The binary is needed because otherwise the -all packages would be
missing and there would be no deb package in the archive holding the
source in.
> This opens the possibility that the binary stems from a different
> source than the source package provides. Thus, a trojan could make
> it to the archive without being detected, and even though only one
> architecture would then be affected, it's a grave security problem.
> Even if the builder did not knowingly upload a trojan, his/her build
> environment could be contaminated.
Sure, the DD could insert some trojan into the binary. He could also
insert a trojan into the source. And you are aware of the thread about
that buildds are run partly by non DDs which can't be trusted and thus
the archive is tainted by the autobuild debs?
A DD could also upload a binary recompile NMU with some flimsy excuse
for package foo with a trojan, then upload source for package bar that
Build-Depends: foo to get the trojan installed on the buildds and then
upload a new foo source to remove the tainted foo and cover his
tracks. The buildds would then be tainted and could insert trojans
into every build package.
Too obvious? And DDs wouldn't do that? How about just hacking a debian
mirror from which a buildd dowloads from and swapping out package foo
against a tainted one? apt-get doesn't validate the Release.gpg so you
just need to recompute the md5sums for the Packages and Release file
and noone will ever know. Scared yet?
> I think that the Debian autobuilders should compile the DEB files
> for *all* architectures. The binary upload should still be required
> for the aforementioned reasons, but it should not make it to the
> archive. Since I assume that most binaries accompanying a source
> upload are i386, this would possibly require us to stock up on the
> i386 autobuilder(s), which is the least of a problem.
I too think that the Debian autobuilders should compile the DEB files
for *all* architectures. The should also compile the Arch: all
packages. But security it the least of my worries. Accidental
miscompiled due to contaminated environments (as in older or newer
libs than unstable has, more packages installed than Build-Depends
suggests, ... and not tainted as in root-kits).
> I would say this requires little changes and causes a great increase
> in the security and trustworthiness of the Debian archive. Or, put
> differently, if companies find out that the binaries they install
> were compiled on home-user PCs without special precautions, Debian
> won't exactly gain popularity.
>
> Comments welcome.
MfG
Goswin
Reply to: