[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trust in the Debian Build Process


Steve wrote:
> On Mon, Nov 30, 1998 at 07:17:52AM -0500, Robert Edmonds wrote:
> > On Mon, 30 Nov 1998, Jiri Baum wrote:
> > > Yes, but you get root access to anyone who installs your packages, via
> > > the install scripts.
> > *Only* packages with pre/post inst/rm scripts are affected by this. For
> That is simple bullshit.

Well, yes and no. Only packages with the scripts are affected by it, but:
  (a) there's plenty of other opportunities, and
  (b) how many people check which packages have pre/post inst scripts?

> How hard would it be for me to introduce a small "bug" into it which would
> go unnoticed?

I guess that depends on how subtle you want it to be...

> Why does it HAVE to be the pre/post inst/rm ?

It doesn't, it was just the most trivial example.

> That is too easy to spot...

Yes. A bit harder if it does "rm $0", but only a bit.

[...every upload verified and security audited...]
> it would introduce an unacceptable (IMHO) bottleneck in the process. This is
> one bottleneck which would fill FAST.


> We have a nice system of trust, and I think it works. Any system will have
> its flaws. Really though...there has to be some trust.

It has been pointed out long ago that if you can subvert the cc binary to
subtly mis-compile cc and login, nothing need show up in source.

I'm afraid I don't have any suggestions (apart from "if you need to, hire a
security consultant"). Security is a complex problem with no easy answers :-)

Jiri <jiri@baum.com.au>

Reply to: