[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unstripped binaries, stripped at installation time?

>>>>> "Federico" == Federico Di Gregorio <fog@mixadlive.com> writes:

    Federico> Scavenging the mail folder uncovered Karl M. Hegbloom's letter:

    >> This could also afford some protection against malicious
    >> patch-hacking, where an evil devel runs an outer-build setup that
    >> performs a sneaky patch, build, unpatch, dpkg-deb, dpkg-source
    >> routine, to ship a binary with backdoor codes that appears clean when
    >> the source package is examined.  If the debugging symbols are in the
    >> system.tar.gz inside the binary .deb, perhaps a way to check and make
    >> sure that kind of hanky-panky is not occuring could be devised.

    Federico> i think crypto and good security measures prevent trojan horses much
    Federico> more than some strange symbol-checking (that can't be automatized.)

 That relies on trusting the maintainer.  I hear scuttlebutt about
 that their could be a rogue maintainer who "hacks" backdoors into
 stuff, or writes a self-modifying postinst script that does things
 it's not supposed to.

 It must be true that Red Hat (I'll pick on them this time...) 
 packages suffer the same trouble...  Red Hat guarantees the core that
 they package "in-house", but not the user contributed packages.

 An often asked question is then "What could I do if I upgraded Debian
 and a rogue maintainer script or trojan horse wiped out my junk mail

Reply to: