Re: Trust in the Debian Build Process
> On Mon, Nov 30, 1998 at 07:17:52AM -0500, Robert Edmonds wrote:
> > On Mon, 30 Nov 1998, Jiri Baum wrote:
> > > Yes, but you get root access to anyone who installs your packages, via
> > > the install scripts.
> > *Only* packages with pre/post inst/rm scripts are affected by this. For
> That is simple bullshit.
Well, yes and no. Only packages with the scripts are affected by it, but:
(a) there's plenty of other opportunities, and
(b) how many people check which packages have pre/post inst scripts?
> How hard would it be for me to introduce a small "bug" into it which would
> go unnoticed?
I guess that depends on how subtle you want it to be...
> Why does it HAVE to be the pre/post inst/rm ?
It doesn't, it was just the most trivial example.
> That is too easy to spot...
Yes. A bit harder if it does "rm $0", but only a bit.
[...every upload verified and security audited...]
> it would introduce an unacceptable (IMHO) bottleneck in the process. This is
> one bottleneck which would fill FAST.
> We have a nice system of trust, and I think it works. Any system will have
> its flaws. Really though...there has to be some trust.
It has been pointed out long ago that if you can subvert the cc binary to
subtly mis-compile cc and login, nothing need show up in source.
I'm afraid I don't have any suggestions (apart from "if you need to, hire a
security consultant"). Security is a complex problem with no easy answers :-)