Re: Compromising Debian Repositories

To: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: sp113438 <sp113438@telfort.nl>
Date: Wed, 7 Aug 2013 03:10:52 +0200
Message-id: <[🔎] 20130807031052.455dedca@fx4100>
In-reply-to: <[🔎] CAKTje6Fxt9wdoEFh+g2bEmfjOWbF1e9tHTBLTGu23=MatLCx5Q@mail.gmail.com>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] CAKTje6Fxt9wdoEFh+g2bEmfjOWbF1e9tHTBLTGu23=MatLCx5Q@mail.gmail.com>

On Sat, 3 Aug 2013 10:48:52 +0200
Paul Wise <pabs@debian.org> wrote:

> On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
> 
> > I was reading this [1] article and it brought a question do my
> > mind: How hard would it be for the FBI or the NSA or the CIA to
> > have a couple of agents infiltrated as package mantainers and
> > seeding compromised packages to the official repositories?
> 
> Probably easy.
> 
> > Could they submit an uncompromised source and keep a small patch
> > that they apply before building and sending it to the repository?
> > Or is the building process done on Debian servers?
> 
> They could. All of the Architecture: all packages are built on
> developer machines. For most packages, at least one architecture for
> each architecture-specific binary package has been built on developer
> machines. In practice this means arch all, amd64 and some i386
> packages are built on developer machines. We have been talking about
> changing this for a long time and there is a plan but the relevant
> people haven't had time to implement it yet.
> 

It is easy to monitor all internet traffic on a test system.

Reply to:

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread