[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: securing/monitoring Debian devel environment

Yaroslav Halchenko <debian@onerussian.com> writes:
> script). The only way to completely prevent that would be to develop and
> build packages in a completely isolated (virtual machine) environment

Interesting ideas but don't you also need to run the produced binaries
in isolation? If we assume a malicious upstream they can surely make
the build innocent but then have the produced binaries launch sudojump
[1] in the background and have it root your machine the next time you
use sudo. Since you mentioned ssh-agent: They can also use ssh-jack
[2] to run commands on all machines where you have open ssh
connections, they don't need to wait for you to start a new ssh

[1] http://seclists.org/bugtraq/2007/Jun/16
[2] http://www.storm.net.nz/projects/7

Reply to: