Re: Revival of the signed debs discussion
Tom <email@example.com> writes:
> On Tue, Dec 02, 2003 at 01:17:58PM +0100, Goswin von Brederlow wrote:
> > Tom <firstname.lastname@example.org> writes:
> > > What precautions are taken that the DD actually signed it with the DD's
> > > private key?
> > > Set aside the possibility that the DD herself is actually the attacker.
> > You never can. But once the compromise or the DD is found out it would
> > be easy to scan the archive for possible compromised packages audit
> > the sources and rebuild the binaries.
> Thanks for the frankness; I was asking the question pointedly. But if
> you fix the problem after it occurs, the damage is done.
> Closed source companies have ways of dealing with social engineering
> aspects (people wear badges; secure sources on isolated networks,
> security guards, threats of firing people, smart cards for SSH/VPN).
> I worked at Microsoft for 3 years and did some work with the security
> guys. The main branch of NT is about 70gb. They have a policy that any
> code has to be on encyrpted file system. If your laptop gets stolen
> with NT code on it, you get fired. If you leave your laptop in your car
> or check it on your airplane, you get fired.)
> The point of my question is: what can open source do that is comprable?
> It seems especially relevant considering the other thread about
> establishing Enterprise Debian.
> My nagging is just to provoke thought in the community. I don't have
> any answers.
We keep the source on millions of different computers worldwide with
different levels of security, different operating systems, different
cpus (an exploit for i386 won't work on m68k directly) and the code is
read again and again by countless people. You can't compromise all
copies of the source.
Also its impossible to slip code into any common open source project a
just one end (say compromise cvs.debian.org and slip a change in)
without getting several people to notice and read the changes
made. You might get away with it for a few days (depending on how
active the project is) but someone will notice the change no matter
how clever you think you are.
There is no security as strong as many people reading the source over
and over. You can't hack their brains to skip over the backdoor code
and you can only obfuscate a backdoor so much.