Re: https for apt to prevent man in middle transparent proxy mirror attacks?

[Wouter Verhelst <wouter@grep.be>]

On Sun, Jul 04, 2004 at 04:57:52AM -0700, Karl Hegbloom wrote:
> On Wed, 2004-06-09 at 06:44 -0700, Karl Hegbloom wrote:
> > Perhaps uploading of binary packages should be done away with
> > altogether, and all packages should be built on known secure servers by
> > a build daemon?  It's easier to verify the source code and patches than
> > it is to verify a binary, right?  Then it comes down to who's in control
> > of the build servers, the archive network, and networks in between those
> > hosts.
> 
> I've been thinking about this again.  What if Debian:
> 
> * Got rid of binary uploads, and went to source package only uploads,
> and then everything is built by the build daemon.

We would get loads of broken source uploads (because people are lazy,
and some people wouldn't test their uploads as good as is necessary).
Also, we'd need to make sure binary-all packages get built "somewhere",
but that they get built only once. This would result in wasted time,
resources, and effort; and doing it only incorrectly would result in
even more wasted time, resources, and effort.

Thanks, but no thanks.

> * All packages are held in double custody, and cannot go into the
> archive until they are verified and signed by at least two maintainers.

Uh. *gasp*. We can't get much done as it is; we can't even release. Do
you really want to make things worse?

> The two cannot be people who would be likely to be in cahoots with one
> another, especially for libraries that a lot of packages depend on
> (hairy nodes) and security centric software...

yeah, yeah, yada yada. Even the best of friends argue at times.

[...]
> * Debian implements SELinux, stack guard, ... ?

In principle, nothing against this -- only if it's done right, though.

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune