Re: securing/monitoring Debian devel environment

To: debian-devel@lists.debian.org
Subject: Re: securing/monitoring Debian devel environment
From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
Date: Wed, 22 Dec 2010 23:46:02 +0200
Message-id: <[🔎] 84sjxp32hx.fsf@sauna.l.org>
In-reply-to: <[🔎] 20101222161013.GD8747@onerussian.com> (Yaroslav Halchenko's message of "Wed\, 22 Dec 2010 11\:10\:13 -0500")
References: <[🔎] 20101222161013.GD8747@onerussian.com>

Yaroslav Halchenko <debian@onerussian.com> writes:
> script). The only way to completely prevent that would be to develop and
> build packages in a completely isolated (virtual machine) environment

Interesting ideas but don't you also need to run the produced binaries
in isolation? If we assume a malicious upstream they can surely make
the build innocent but then have the produced binaries launch sudojump
[1] in the background and have it root your machine the next time you
use sudo. Since you mentioned ssh-agent: They can also use ssh-jack
[2] to run commands on all machines where you have open ssh
connections, they don't need to wait for you to start a new ssh
connection.

[1] http://seclists.org/bugtraq/2007/Jun/16
[2] http://www.storm.net.nz/projects/7

Reply to:

Follow-Ups:
- Re: securing/monitoring Debian devel environment
  - From: Yaroslav Halchenko <debian@onerussian.com>

References:
- securing/monitoring Debian devel environment
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Re: Full install/removal/upgrade test results available
Next by Date: Re: securing/monitoring Debian devel environment
Previous by thread: securing/monitoring Debian devel environment
Next by thread: Re: securing/monitoring Debian devel environment
Index(es):
- Date
- Thread