[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

On Jun 29, Manoj Srivastava wrote:
>         There should be a way to do what you are doing now, but that
>  would involve manually getting in on the machine, verifying that the
>  buildd daemon was not compromised, that the log files were not
>  compromised (how do you do that?), that the extracted source tree was
>  not conta=minated in the meanwhile, and that the daemon was the one
>  sending you mail in the first place.
>         I understand that the build daemons are convenient. Conveniece
>  is the major enemy of security.

I suspect that the only "secure" solution is to give every developer
boxes that run every Debian architecture, and make each developer
compile their packages on each box... these boxes to be behind a
firewall, with packages distributed by burning them on CD and mailing
them to the "home office."

For starters: How do you "verify" the build daemon is not compromised
without being at the console?  If it *is* compromised, you can be
spoofed into thinking it isn't by any method of remote access.

I suspect there are much wider holes in our security than the build
daemons.  To name one example: any developer's machine can be
compromised, his key stolen (and $20 says at least one developer has
no passphrase on his secret PGP key), and then the entire archive can
be corrupted by uploading bogus packages to master (all automatic).
If we're lucky, someone might catch the problem from the Installed
messages before it propogated to all of the mirrors...

Why hack a build daemon (which will only affect some packages on one
architecture...) when you can hack Joe Linux's machine and nail every
package on all of them?


Reply to: