Re: Packages removed from frozen

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages removed from frozen
From: Samuel Tardieu <sam@debian.org>
Date: Thu, 10 Feb 2000 12:41:58 +0100
Message-id: <2000-02-10-12-41-58+trackit+sam@debian.org>
Reply-to: Samuel Tardieu <sam@debian.org>
In-reply-to: <87ya8uufuo.fsf@glaurung.green-gryphon.com>; from srivasta@debian.org on Wed, Feb 09, 2000 at 05:16:15PM -0600
References: <20000128161610.A13321@xs4all.nl> <8766w1557j.fsf@raven.localnet> <87900wsu4l.fsf@glaurung.green-gryphon.com> <20000207142942.A14269@x8b4e53cd.dhcp.okstate.edu> <87emaoqq9n.fsf@glaurung.green-gryphon.com> <2000-02-09-13-25-40+trackit+sam@debian.org> <87ya8uufuo.fsf@glaurung.green-gryphon.com>

| Or potentially a class called
| potential-security-risl-that-can-not-be-audited-by-looking-at-the-source,
| which is closer to the truth.

Exactly like GCC is: GNAT 3.11p, which is the first version I uploaded when
taking the maintainership, was cross-compiled from another system (Solaris for
Sparc), and as a member of the GNAT team I know the sources pretty well. I
can then be sure that no source or binary trojan is present in GNAT/Debian/x86.

I, or the PPC porter, did cross compile GNAT for other Debian platforms. And
except for the initial PPC port, noone but me or the autobuilder did upload
any version of GNAT. So GNAT should be safe, if my PGP signature (and
the autobuilder's one) is trusted.

| I can't figure out of this is sarcasm or stupity. I'll give
| the benefit of doubt, and assume this was a misdirected attempt at
| sarcasm. You really don't take security seriously, do you? 

The fact that you can't figure out may mean that you need to take some rest.
If YOU take security seriously and really want to try to have such a scheme
adopted by Debian, then you won't make any exception for GCC.

Debian is supposed to be a "safer" distribution, not a military-grade one
with every bit of every program inspected. We are not in the business of
providing customers with manually-inspected binaries, other "secure" Linux
distributions chose to do this, but this is their business.

| What was being attempted here is a dioalog on how one handles
| security risks in packages that depend on a binaty copy of themselves
| to build; and frankly, I see hibes and sarcasm as having no place
| here. 

And you were proposing to make an exception for GCC? And of course one for
the libc (needed for GCC to run, when compiling the libc itself) and one for
the kernel (same reason).

| Of course, you may be entirely sincere, and merely exhibiting
| extremely poor judgement in calling gnats build essential, in which
| case please accept my apology, and my commiserations, for this must
| be a really tough profession for you.

Your commiseration? You're too good. And by the way, gnat and gnats are two
totally different things.

|         manoj
|  tired of smart aleck retorts

Tired? Really? Do you *sincerely* thing it was the right time to discuss this
and make such proposals, during the freeze? Couldn't you wait for things to
settle down before trying to build a secure Linux distribution? This could
have been discussed at any other time, why choose precisely the moment where
Potato is frozen and a leader is to be elected?

Reply to:

References:
- Re: Packages removed from frozen
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Samuel Tardieu <sam@debian.org>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Showstopping bug: gethostname() behaving incorrectly
Next by Date: Re: Packages removed from frozen
Previous by thread: Re: Packages removed from frozen
Next by thread: Re: Packages removed from frozen
Index(es):
- Date
- Thread