Re: fakeroot a solution for multi-architecture building?
> For the builds to be possible automatically, this private
> key has to be available somewhere on alpha-build in plaintext[1].
you could enter the phrase to a program. this way you can only get the
phrase if you access /dev/kmem. yes, this problem exist.
summary : if you can't trust root on the build machine, you can't trust
the packages it builds. for me it is the same deal like with all debian
developers : i have to trust them and their machines.
i see no difference. of course it will be easier to break into a build
machine to add trojan horse, but master is even a better target.
i agree with you : the build machines have to be safe.
> Now comes the (simple) attac: just exploit the samba bugs on alpha-build,
> and you are now able to create packages that dinstall will trust.
we can make it less simple : the phrase is handled by a program running
as root. you need to access kmem to get the key, and if we xor it with a
random value, it's not so easy to find the key.
and if the machine is running a build process, you only have to break
into the build user and put an extra file into debian/tmp in the right
second.
these machines have to be safe, and a security leak on these machines is
as worse as a securitry leak on master.
thus, the build machines must be under control of someone you trust to
make the system secure.
> [1] With plaintext I don't neccecerily mean that the pgp passphrase itself
> is somewhere on the HD. But at least alpha-build _is_ able to
> sign packages with the key, so the intruder can alpha-build make
> sign any packages he likes.
where is the difference between having the pgp phase in kmem and having
a sniffer program running as root, that will record the pass phrase when
you build a package on your machine ? the security problem is the same
in my opinion.
andreas
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: