[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trust in the Debian Build Process

On Sat, Nov 28, 1998 at 03:11:41PM -0500, Robert Edmonds wrote:
> On 16 Nov 1998, Thomas Roessler wrote:
> [snip]
> > Centralize the actual build process. Use a well-defined and
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Are you saying we should all build on master? Or even a group of machines
> under master? Even the Novare guys who physically host many of our
> machines must have root access to i.e. shut it down for hardware upgrades,
> etc.
> Most of the Debian developers build on machines controlled my them,
> meaning _they_ are the only ones with root access. So a BOFH shared libs
> attack would not work. Why damage your own system? But now, the "malicious
> developer" is a valid point. Usually they are caught and
> execut^H^H^H^Hpelled from the Debian project.

Well...  I have a problem with "Usually". Yes, If a developer was
found doing any sort of malicious thing they would be expelled, and
turned over to the authorities (AFAIK it would be illegal in most
places to introduce trojans and holes into other peoples systems on

The fact is that as far as I have heard this has NEVER happend. We can't say
that this is usually what happens, since it never has. 
> > well-secured set of machines for automatically building the binary
> > packages.  Sign the generated binary packages with a central code
> > signing key.  Have the maintainers sign the diff files they submit.
> > Provide digital signatures for the source tar balls.
> [snip]

I don't think this would improve security at all, but it would fix some 
problems (ie if libc changes in a small way that only breaks binary 
compatibility...it would automatically fix itself on next compile)

Afterall... how hard would it be to introduce a small security hole and
have it go undetected? A buffer overflow or two...it would build fine from
source and still have the hole. 

It was mentioned somewhere that this could even be done very discretly and
almost untectetably over a series of patches (say submitted to the BTS)
In that way it wouldn't even need a malicious developer...just someone
clever enough to hide it in patches and send it to the BTS and have the
developer incorperate the patches. How many developers are qualified to do
a proper security audit ove everything after every patch? I know I am not. 

Of course...again...we have no proof that this has ever happend 
(or does someone have proof?) so the discussion is completely academic. 

I have said it before...if someone WANTS to hurt us, they can and will. 
The only things stopping them are their own skills and determination.

/* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */
"People who live in glass houses shouldn't throw orgies"
                -- The Mahareeshi Hashish Yogi 

Attachment: pgpIy_VePzqaZ.pgp
Description: PGP signature

Reply to: