[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages with exact binary matches



On Tue, Sep 25, 2007 at 01:03:27AM +0100, Benjamin A'Lee wrote:
> On Tue, Sep 25, 2007 at 12:04:15AM +0200, Martin Uecker wrote:
> > Manoj Srivastava <srivasta@debian.org> wrote:
> > >        Actually, if you do not trust the path down which a binary
> > > package flows, you can not use any information down that flow path to
> > > test your implementation.  You need to do a full source audit, and
> > > build from source -- at which point, you might just install your trused
> > > binary, instead of trying to verify that the upstream package is the
> > > same as yours.
> > 
> > It would be enough when just a few people are actually recompiling the
> > binaries and compare it to the official debian packages. Then
> > *everbody* could trust that the packages are not modified,
> > because any modification would be detected immediatley. This is
> > only possible with bit-identical binaries.
> 
> Erm, if I can't trust the Debian Project to create trustworthy packages
> and verify their integrity, why should I trust anyone else to verify
> them?

No, I trust that somebody would *falsify* them if there are compromised.
See my reply to Manoj for an explanation.

[...]
 
> You're also assuming that the source code is trustworthy. If the binary
> packages can be compromised, so can the source packages.

Its exactly the same: Because the source code is open, I would hope
that somebody would find the backdoor.

Martin



Reply to: