[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Architecture independent binaries and building from source

On Wed, Aug 11, 2004 at 10:21:06PM +0200, Nicolas Boullis wrote:
> Hi,
> On Tue, Aug 10, 2004 at 05:11:18PM -0700, Shaun Jackman wrote:
> > 
> > This is my point exactly. Upstream's binaries are technically perfect.
> > There is no technical advantage to rebuilding them. That being the
> > case, I see no need to rebuild them.
> How can you be know if upstream is not putting some evil backdoor in the 
> binary? It's much easier to hide something evil in a binary than in 
> source code.
> (And don't tell me it never happens. Some time ago, a disappointed 
> upstream author added ome slightly damaging code against Debian; the 
> maintainer did not realize and uploaded the package...)

This isn't particularly relevant; the micq problem occured in (slightly
obfuscated) source code, not in a binary blob. And nobody has said that
it shouldn't be a serious bug if you can't rebuild a working package from
'pure source' which must still be included.

The main question seems to be an issue of whether one favors either:

A) 1) Saving time on the autobuilders (potentially lots of it), and
   2) Having a 'pristine' copy of the upstream tarball,


B) 1) Ensuring that the security team won't run into a nasty 'gotcha'
      that nobody realized was there, and
   2) Giving DFSG-free compilers more excercise (in this case).

If the authors hide malware in a binary blob, they're just as likely to
hide it in an obfuscated form in the source; short of actually auditing the
source every time you pull it from upstream, there is little a maintainer
can do about this (and as the micq issue demonstrated, auditing source in
this manner is not a practical thing to do for most Debian packages, unless
we have reason to distrust them).
Joel Baker <fenton@debian.org>                                        ,''`.
Debian GNU/kNetBSD(i386) porter                                      : :' :
                                                                     `. `'
http://nienna.lightbearer.com/                                         `-

Attachment: pgpArVZmwItJq.pgp
Description: PGP signature

Reply to: