Re: Compromising Debian Repositories
On Sat, 3 Aug 2013 10:48:52 +0200
Paul Wise <pabs@debian.org> wrote:
> On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
>
> > I was reading this [1] article and it brought a question do my
> > mind: How hard would it be for the FBI or the NSA or the CIA to
> > have a couple of agents infiltrated as package mantainers and
> > seeding compromised packages to the official repositories?
>
> Probably easy.
>
> > Could they submit an uncompromised source and keep a small patch
> > that they apply before building and sending it to the repository?
> > Or is the building process done on Debian servers?
>
> They could. All of the Architecture: all packages are built on
> developer machines. For most packages, at least one architecture for
> each architecture-specific binary package has been built on developer
> machines. In practice this means arch all, amd64 and some i386
> packages are built on developer machines. We have been talking about
> changing this for a long time and there is a plan but the relevant
> people haven't had time to implement it yet.
>
It is easy to monitor all internet traffic on a test system.
Reply to: