Re: Building packages with exact binary matches

[Manoj Srivastava <srivasta@debian.org>]

On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <muecker@gmx.de> said: 

> On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote:
>> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <muecker@gmx.de>
>> said:
>> 

>> > It would be enough when just a few people are actually recompiling
>> > the binaries and compare it to the official debian packages. Then
>> > *everbody* could trust that the packages are not modified, because
>> > any modification would be detected immediatley. This is only
>> > possible with bit-identical binaries.
>> 
>> Err, what? Why would everyone do that? I mean, you do not trust the
>> Debian distribution system, the archive gpg signatures, the md5sums
>> on the package, etc, and ye5t you are willing to accept mails from
>> other people that things are oK?

> No. I would trust the binaries if there are *no mails* from other

        Ah, security through blissful ignorance :)  You do not actually
 trust the archive, or the developers, you  trust the silence.

> people that things are *not ok*. Because everybody can check that the
> binaries are not compromised, you can actually be quite sure that
> things are ok, as long as nobody complains.  And if doubts come up, I
> can check myself. This actually the same principle on wich science is
> build: falsifiability.

        Everyone does that now based on debian archive signatures. You
 do not need bit-by-bit verification for that.

        So, one someone lets the cat out of the bag, and we are not so
 blissful ,how can we check? 

        Simple, you say, compile the source!!  But, dear folks, the
 person who can  compromise the archive, fake out the buildd's,
 add the archive signature -- can also hack the source. 


> Its exactly the same: Because the source code is open, I would hope
> that somebody would find the backdoor.

        Ah. again, assume security until someone pulls us out of our
 ignorance. 

        So easy to do a denial of service attack by random slander of
 binaries and source (thanks, helpful botnet).

> Compare this to the current system: The trustworthiness of *all* DDs
> wich maintain packages which are installed on my systems, the security
> of *all* computers those DDs store their keys on, the security of the
> build host, the gpg signatures and the md5sums are actually a chain of
> trust where the weakest link determines the total security.

        I kinda find your alternate shceme, based on bit-for-bit
 sameness, not to be all that secure, really. It is a feel good thing
 with little added secueity.

        However, this is all moot; unless someone does all the work to
 make things absolutely bit-for-bit the same, compile after compile, and
 manages to convince all the package ownsers to accept the changes, this
 is going nowhere.  I am not even sure it can be done, technically.

        manoj
-- 
Work without a vision is slavery, Vision without work is a pipe dream,
But vision with work is the hope of the world.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C