Re: Revival of the signed debs discussion

To: Henning Makholm <henning@makholm.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 03 Dec 2003 03:36:44 +0100
Message-id: <[🔎] 873cc2hbk3.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20031202232001.GA29058@henning.makholm.net>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 20031201235436.GC2936@kitenet.net> <[🔎] 20031202100753.GB3756@mails.so.argh.org> <[🔎] 20031202103643.GA7852@comcast.net> <[🔎] 87n0abifbd.fsf@mrvn.homelinux.org> <[🔎] 20031202123824.GA9340@comcast.net> <[🔎] 87iskzices.fsf@mrvn.homelinux.org> <[🔎] 87znebxmvx.fsf@kreon.lan.henning.makholm.net> <[🔎] 87d6b6izdj.fsf@mrvn.homelinux.org> <[🔎] 20031202232001.GA29058@henning.makholm.net>

Henning Makholm <henning@makholm.net> writes:

> Scripsit Goswin von Brederlow
> > Henning Makholm <henning@makholm.net> writes:
> 
> > > I refer you to Ken Thompson's Turing award lecture. If someone who
> > > really means business manages to compromise binary toolchain debs, all
> > > the hackers in the world reading source over and over will not find
> > > the backdoor.
> 
> > But their source is already secured by the same means.
> 
> You really need to read Thompson's paper.
> 
> > One can maintain and update a debian system from source alone so one
> > only has to trust the peer reviewing of sources.
> 
> How do you compile the sources without first having to trust binary
> .debs for the toolchain?

You have to bootstrap. You have to trust the binaries you currently
have.

Or you have to compile/assemble them in your head and use a magnet and
a needle to put the bits on your harddisk. But still, do you trust the
harddisk bios, the system bios, the cpu? There could be a password
sniffer embedded in your keyboard....

You have to stop somewhere or you go crazy :)

MfG
        Goswin

Reply to:

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: Revival of the signed debs discussion
  - From: Tom <tb.31123.nospam@comcast.net>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Tom <tb.31123.nospam@comcast.net>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Henning Makholm <henning@makholm.net>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Henning Makholm <henning@makholm.net>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: Revival of the signed debs discussion
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread