Re: Revival of the signed debs discussion
Scripsit Goswin von Brederlow <email@example.com>
> There is no security as strong as many people reading the source over
> and over. You can't hack their brains to skip over the backdoor code
> and you can only obfuscate a backdoor so much.
I refer you to Ken Thompson's Turing award lecture. If someone who
really means business manages to compromise binary toolchain debs, all
the hackers in the world reading source over and over will not find
(And "toolchain" here includes all code that is even marginally
involved in the process leading to itself being recompiled. Libc,
kernel images, lilo, dpkg, debhelper, perl, etc etc).
Henning Makholm "No one seems to know what
distinguishes a bell from a whistle."