Re: Bits (Nybbles?) from the Vancouver release team meeting

To: Wouter Verhelst <wouter@grep.be>
Cc: Sven Luther <sven.luther@wanadoo.fr>, Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, Thomas Bushnell BSG <tb@becket.net>, debian-devel@lists.debian.org
Subject: Re: Bits (Nybbles?) from the Vancouver release team meeting
From: Sven Luther <sven.luther@wanadoo.fr>
Date: Mon, 14 Mar 2005 22:20:00 +0100
Message-id: <[🔎] 20050314212000.GA22849@pegasos>
In-reply-to: <[🔎] 1110827223.8686.86.camel@country.grep.be>
References: <20050314044505.GA5157@mauritius.dodds.net> <[🔎] Pine.LNX.4.62.0503140721080.4772@wr-linux02> <[🔎] 20050314073645.GA18997@quetzlcoatl.dodds.net> <[🔎] 20050314094629.GB6974@pegasos> <[🔎] 87is3u7cyn.fsf@becket.becket.net> <[🔎] 20050314101155.GI6974@pegasos> <[🔎] 87ekeii0na.fsf@informatik.uni-tuebingen.de> <[🔎] 20050314181549.GD17820@pegasos> <[🔎] 1110827223.8686.86.camel@country.grep.be>

On Mon, Mar 14, 2005 at 08:07:03PM +0100, Wouter Verhelst wrote:
> Op ma, 14-03-2005 te 19:15 +0100, schreef Sven Luther:
> > so the buildd admin really examine all the packages for deviation that a
> > compromised buildd could have incorporated before signing them ? Or that they
> > scan the machine for a compromise and always detect them before signing ? 
> 
> Not really.
> 
> As you know, nothing gets uploaded to the archive without it having a
> gpg signature by a key in the Debian gpg keyring. That goes for
> autobuilt packages, too.
> 
> Also, I never sign stuff unless it gets through my filters and into the
> right Maildir (and one of the things my filters check is the 'From'
> address), so only the correct host will be able to upload.
> 
> Apart from that, I regularly log in to my buildd hosts, and check up on
> them. If the host were compromised, I'd notice -- just as much as I'd
> notice if anyone would compromise my firewall.

But you would notice all this just the same if the signing where automated,
don't you ? None of the procedures above would allow you to discover a package
built on a compromised buildd in a better way than if it was auto-signed.

Friendly,

Sven Luther

Reply to:

Follow-Ups:
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Wouter Verhelst <wouter@grep.be>

References:
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Andreas Tille <tillea@rki.de>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Steve Langasek <vorlon@debian.org>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Wouter Verhelst <wouter@grep.be>

Prev by Date: Re: Bits (Nybbles?) from the Vancouver release team meeting
Next by Date: Re: Bits (Nybbles?) from the Vancouver release team meeting
Previous by thread: Re: Bits (Nybbles?) from the Vancouver release team meeting
Next by thread: Re: Bits (Nybbles?) from the Vancouver release team meeting
Index(es):
- Date
- Thread