[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trust in the Debian Build Process

On Sat, Nov 28, 1998 at 07:32:17PM +0100, J.H.M. Dassen Ray" wrote:
> Please note that uploads of Debian packages already contain a digital
> signature for the binary packages as part of the .changes file.
> Unfortunately, this information isn't part of the Debian packages
> themselves, so an end user can't verify it, and a malicious mirror could
> insert trojan packages.

What can we do against this? I guess most of the users at most verify their
packages using the Debian keyring from the mirror/cd, so somebody could even
circumvent the digital signature by changing the key of a developer in the

> > One possible solution may look like this:
> > 
> > Centralize the actual build process.
> There are certainly merits to this, and I'd like to see this implemented, if
> it's feasible. It would also prevent disasters like the libc compiled with a
> broken /usr/local/bin/gcc we're now in the process of recovering from.

I do not think so. If we installed the buggy libc centralized we would have
every package compiled with the wrong library...

> I'm not sure if it's feasible yet. I don't know if we have enough power
> available in net.connected machines to pull it off. Also, we'd need a way to
> give some builds priority (e.g. security fixes).

Build only on net-connected machines? This is just another security hole. Are
you sure nobody can gain root access to master? 

It is a lot more secure to build the binaries on developers machines which are
not connected or not permanently connected to the net.

> Ray


Attachment: pgpJ1KBy0XjBE.pgp
Description: PGP signature

Reply to: