[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages with exact binary matches

On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote:
> On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <muecker@gmx.de> said: 
> > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote:
> >> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <muecker@gmx.de>
> >> said:
> >> 
> >> > It would be enough when just a few people are actually recompiling
> >> > the binaries and compare it to the official debian packages. Then
> >> > *everbody* could trust that the packages are not modified, because
> >> > any modification would be detected immediatley. This is only
> >> > possible with bit-identical binaries.
> >> 
> >> Err, what? Why would everyone do that? I mean, you do not trust the
> >> Debian distribution system, the archive gpg signatures, the md5sums
> >> on the package, etc, and ye5t you are willing to accept mails from
> >> other people that things are oK?
> > No. I would trust the binaries if there are *no mails* from other
>         Ah, security through blissful ignorance :)  You do not actually
>  trust the archive, or the developers, you  trust the silence.

I trust special relativity, because nobody has disproven it yet.
Do you think this is blissfull ignorance, too? 

> > people that things are *not ok*. Because everybody can check that the
> > binaries are not compromised, you can actually be quite sure that
> > things are ok, as long as nobody complains.  And if doubts come up, I
> > can check myself. This actually the same principle on wich science is
> > build: falsifiability.
>         Everyone does that now based on debian archive signatures. You
>  do not need bit-by-bit verification for that.

Again: How does this protect against a compromised build host?
>         So, one someone lets the cat out of the bag, and we are not so
>  blissful ,how can we check? 
>         Simple, you say, compile the source!!  But, dear folks, the
>  person who can  compromise the archive, fake out the buildd's,
>  add the archive signature -- can also hack the source. 

Is actually quite likely that somebody would notice if Debian
distributes trojaned source packages.

> > Its exactly the same: Because the source code is open, I would hope
> > that somebody would find the backdoor.
>         Ah. again, assume security until someone pulls us out of our
>  ignorance. 

See above.
>         So easy to do a denial of service attack by random slander of
>  binaries and source (thanks, helpful botnet).

All security work in the free software community works like
this: Somebody finds a flaw, he reports it, it gets fixed.
So you say this can be DOSed by reporting a lot of false bug
reports with a botnet?
> > Compare this to the current system: The trustworthiness of *all* DDs
> > wich maintain packages which are installed on my systems, the security
> > of *all* computers those DDs store their keys on, the security of the
> > build host, the gpg signatures and the md5sums are actually a chain of
> > trust where the weakest link determines the total security.
>         I kinda find your alternate shceme, based on bit-for-bit
>  sameness, not to be all that secure, really. It is a feel good thing
>  with little added secueity.

Ironically, I think the current scheme where the binaries are
signed by some public key provides a false illusion of security.
Have you actually thought about the meaning of this signature?
It just means that the signee (and I do not even know who
this actually is) believes that this binary was not tampered 
with. Nothing more. And nobody else has the possibilty to
verify this.
>         However, this is all moot; unless someone does all the work to
>  make things absolutely bit-for-bit the same, compile after compile, and
>  manages to convince all the package ownsers to accept the changes, this
>  is going nowhere.  I am not even sure it can be done, technically.

You are right: Currently, this is all moot. But I find this discussion
very interesting. 

Reply to: