[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Henning Makholm <henning@makholm.net> writes:

> Scripsit Goswin von Brederlow
> > Henning Makholm <henning@makholm.net> writes:
> > > I refer you to Ken Thompson's Turing award lecture. If someone who
> > > really means business manages to compromise binary toolchain debs, all
> > > the hackers in the world reading source over and over will not find
> > > the backdoor.
> > But their source is already secured by the same means.
> You really need to read Thompson's paper.
> > One can maintain and update a debian system from source alone so one
> > only has to trust the peer reviewing of sources.
> How do you compile the sources without first having to trust binary
> .debs for the toolchain?

You have to bootstrap. You have to trust the binaries you currently

Or you have to compile/assemble them in your head and use a magnet and
a needle to put the bits on your harddisk. But still, do you trust the
harddisk bios, the system bios, the cpu? There could be a password
sniffer embedded in your keyboard....

You have to stop somewhere or you go crazy :)


Reply to: