Re: Building packages with exact binary matches
On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote:
> On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <firstname.lastname@example.org> said:
> > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote:
> >> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <email@example.com>
> >> said:
> >> > It would be enough when just a few people are actually recompiling
> >> > the binaries and compare it to the official debian packages. Then
> >> > *everbody* could trust that the packages are not modified, because
> >> > any modification would be detected immediatley. This is only
> >> > possible with bit-identical binaries.
> >> Err, what? Why would everyone do that? I mean, you do not trust the
> >> Debian distribution system, the archive gpg signatures, the md5sums
> >> on the package, etc, and ye5t you are willing to accept mails from
> >> other people that things are oK?
> > No. I would trust the binaries if there are *no mails* from other
> Ah, security through blissful ignorance :) You do not actually
> trust the archive, or the developers, you trust the silence.
I trust special relativity, because nobody has disproven it yet.
Do you think this is blissfull ignorance, too?
> > people that things are *not ok*. Because everybody can check that the
> > binaries are not compromised, you can actually be quite sure that
> > things are ok, as long as nobody complains. And if doubts come up, I
> > can check myself. This actually the same principle on wich science is
> > build: falsifiability.
> Everyone does that now based on debian archive signatures. You
> do not need bit-by-bit verification for that.
Again: How does this protect against a compromised build host?
> So, one someone lets the cat out of the bag, and we are not so
> blissful ,how can we check?
> Simple, you say, compile the source!! But, dear folks, the
> person who can compromise the archive, fake out the buildd's,
> add the archive signature -- can also hack the source.
Is actually quite likely that somebody would notice if Debian
distributes trojaned source packages.
> > Its exactly the same: Because the source code is open, I would hope
> > that somebody would find the backdoor.
> Ah. again, assume security until someone pulls us out of our
> So easy to do a denial of service attack by random slander of
> binaries and source (thanks, helpful botnet).
All security work in the free software community works like
this: Somebody finds a flaw, he reports it, it gets fixed.
So you say this can be DOSed by reporting a lot of false bug
reports with a botnet?
> > Compare this to the current system: The trustworthiness of *all* DDs
> > wich maintain packages which are installed on my systems, the security
> > of *all* computers those DDs store their keys on, the security of the
> > build host, the gpg signatures and the md5sums are actually a chain of
> > trust where the weakest link determines the total security.
> I kinda find your alternate shceme, based on bit-for-bit
> sameness, not to be all that secure, really. It is a feel good thing
> with little added secueity.
Ironically, I think the current scheme where the binaries are
signed by some public key provides a false illusion of security.
Have you actually thought about the meaning of this signature?
It just means that the signee (and I do not even know who
this actually is) believes that this binary was not tampered
with. Nothing more. And nobody else has the possibilty to
> However, this is all moot; unless someone does all the work to
> make things absolutely bit-for-bit the same, compile after compile, and
> manages to convince all the package ownsers to accept the changes, this
> is going nowhere. I am not even sure it can be done, technically.
You are right: Currently, this is all moot. But I find this discussion