Re: Compromising Debian Repositories

[Daniel Sousa <daniel@sousa.me>]

On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone <mstone@debian.org> wrote:

On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:

I think the real issue is about if the malicious patch is not part of
the source package

Why? It certainly makes your argument simpler if you arbitrarily restrict the problem set, but it isn't obvious that it makes sense. If I was going to backdoor something, I'd just make an innocent-looking coding error that would enable a successful exploit; I certainly wouldn't put in a commented section of code that says "backdoor here". With sufficient effort it wouldn't be hard to inject such a vulnerability that would go unnoticed for years--and I'm not sure why that's less of an issue than someone making a one-time build with a malicious patch that is not part of the source package.

First of all, they could apply that change (calling it a patch was not one of my greatest ideas) for every update they do, it's not necesserily a one time thing. It's also much easier (and probably much dangerous) to write some code that doesn't need to be cryptic, you can just write whatever you want instead of trying to find something that can pass as a mistake (although this seams a fun thing to do)

Despite this, the most important reason is that I don't see anyway to prevent that from happening, but we can prevent this. It's not easy and will take a lot of work, but at least it is theoretically possible.

I don't have any experience on this and I would not know where to start (I haven't even done a Debain package, ever), but if there's any workgroup or anyone working on this, I would like to help