Re: Building packages with exact binary matches

To: debian-devel@lists.debian.org
Cc: Martin Uecker <muecker@gmx.de>
Subject: Re: Building packages with exact binary matches
From: Martin Uecker <muecker@gmx.de>
Date: Fri, 28 Sep 2007 23:04:00 +0200
Message-id: <[🔎] 20070928210400.GA4180@bluestein>
Mail-followup-to: Martin Uecker <muecker@gmx.de>, debian-devel@lists.debian.org, Martin Uecker <muecker@gmx.de>
In-reply-to: <[🔎] 20070928160559.GL9003@archimedes.ucr.edu>
References: <[🔎] 20070925214917.GA11914@bluestein> <[🔎] 87zlzacobv.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20070926004509.GA17653@bluestein> <[🔎] 87hclic829.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20070926103151.GA8418@bluestein> <[🔎] 873ax0a7ra.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20070927092847.GB12500@bluestein> <[🔎] 87abr77ki9.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20070928093013.GA1032@bluestein> <[🔎] 20070928160559.GL9003@archimedes.ucr.edu>

On Fri, Sep 28, 2007 at 09:05:59AM -0700, Don Armstrong wrote:
> On Fri, 28 Sep 2007, Martin Uecker wrote:
> > You are seriously stating that is as easy to hide a trojan in the
> > source code as in the binary?
> 
> Consider the fact that we've already had such a case,[1] whereas we've
> not (to my knowledge) distributed a trojaned binary. I'm not sure
> which is easier to hide, but it seems that making a source trojan is
> at least more frequent if not easier to create.

I would not call this a trojan. But I guess I have to change
my opinion anyway. Manoj is right: Trojaned upstream sources
are a major security risk, against which exact binary matches
do not help. But I still think they would still eliminate a lot
of other risks, which should IMHO not be ignored.

There is some other thing I do not like about the way Debian
packages work. Every package I install can actually completely
compromise my system, because the maintainer scripts are run
as root. It would be nice if normal packages would not be allowed
to have maintainer scripts and would only be allowed to install
binaries in certain paths.

Martin

Reply to:

Follow-Ups:
- Re: Building packages with exact binary matches
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: Building packages with exact binary matches
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Building packages with exact binary matches
  - From: Martin Uecker <muecker@gmx.de>
- Re: Building packages with exact binary matches
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Building packages with exact binary matches
  - From: Martin Uecker <muecker@gmx.de>
- Re: Building packages with exact binary matches
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Building packages with exact binary matches
  - From: Martin Uecker <muecker@gmx.de>
- Re: Building packages with exact binary matches
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Building packages with exact binary matches
  - From: Martin Uecker <muecker@gmx.de>
- Re: Building packages with exact binary matches
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Building packages with exact binary matches
  - From: Martin Uecker <muecker@gmx.de>
- Re: Building packages with exact binary matches
  - From: Don Armstrong <don@debian.org>

Prev by Date: Re: modified email address in debian/copyright file
Next by Date: Re: Building packages with exact binary matches
Previous by thread: Re: Building packages with exact binary matches
Next by thread: Re: Building packages with exact binary matches
Index(es):
- Date
- Thread