Re: fakeroot a solution for multi-architecture building?

To: joost witteveen <joost@rulcmc.leidenuniv.nl>
Cc: dwarf@polaris.net, clameter@waterf.org, debian-devel@lists.debian.org
Subject: Re: fakeroot a solution for multi-architecture building?
From: Raul Miller <rdm@test.legislate.com>
Date: Sun, 28 Sep 1997 11:49:47 -0401
Message-id: <[🔎] 19970928114947.43522@test.legislate.com>
In-reply-to: <[🔎] m0xFLVI-000CLKC@rulcmc.leidenuniv.nl>; from joost witteveen on Sun, Sep 28, 1997 at 05:43:28PM +0200
References: <[🔎] 19970928113050.30590@test.legislate.com> <[🔎] m0xFLVI-000CLKC@rulcmc.leidenuniv.nl>

joost witteveen <joost@rulcmc.leidenuniv.nl> wrote:
> True, but at least then the package isn't uploaded yet.
> The (admittedly not very big) difference is that the developper may/should
> notice the breakin (OK, that may be difficult), and, after he found his
> system was corrupted, he can at least distrust his debian sources.

For that, you want someone to administer the auto-porting machine...

> > The solution is auditing, of course. If someone runs packages in a
> > quarantine area, and notes (and reports) any unusual behavior, that
> > would be a good thing (and not too hard to implement). The more and more
> > varied these quarantine are, the better.
> 
> And they should all have system names like "picard.cistron.nl" and have
> excactly the same HD's installed as picard etc. _If_ I'm ever going
> to attac in a way like that, I'm gonna make sure the package I build
> checks for the hostname (and some hardware things) of the host I want
> to "rm -rf /".

Gotta cover all the bases, though.  If some program wants to send
regular updates to eddie.berkeley.edu, somebody ought to notice.
[Note: I forgot to mention that, of course, the quarantine system
must excercise the code.]
 
> > Finally, it would be good to have a *simple* program to compare
> > binaries.  This way, independently generated binaries could
> > be held up against each other.  I believe this is an unmet need.
> > [Anything based on libbfd doesn't qualify, I suspect.]
> 
> This I wholehartedly agree with. (Although I'm not sure the programme
> has to be simple, just dinstall only accepting a .deb+.changes if
> there are at least some number, and then checking with whatever
> library it wants to see if the binaryies/scripts/files are identical
> would be a good thing).

It has to be simple because of an issue I mentioned in a paragraph
you choose not to quote (If no one understands the source to the
program, it's not secure): Simple programs are much more secure
than complex programs.

-- 
Raul


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: fakeroot a solution for multi-architecture building?
  - From: Jim Pick <jim@jimpick.com>

References:
- Re: fakeroot a solution for multi-architecture building?
  - From: Raul Miller <rdm@test.legislate.com>
- Re: fakeroot a solution for multi-architecture building?
  - From: joost@rulcmc.leidenuniv.nl (joost witteveen)

Prev by Date: Re: fakeroot a solution for multi-architecture building?
Next by Date: Re: Dpkg-shlibdeps and libc5/6
Previous by thread: Re: fakeroot a solution for multi-architecture building?
Next by thread: Re: fakeroot a solution for multi-architecture building?
Index(es):
- Date
- Thread