Re: leaks in our only-signed-software fortress
On Sat, 18 Feb 2012, Teus Benschop wrote:
> To put things in perspective, I just wonder how strong this 'fortress'
> really is, and whether this strength is only in our perception or
> whether it is real. Let me give just one example: A developer downloads
> a tarball from an upstream source, configures it, and does make install,
> yet has not even once checked whether this tarball is secure or is not a
> root kit. Teus.
Good packaging developers go to great lengths to be sure they are not
going to distribute anything trojaned. This takes a lot of work, and
often requires very goot working relationship with upstream to the point
of getting upstream to change his processes. This does include tracking
deviations from VCS to upstream releases, going over upstream changes
when possible, and using crypto properly to verify authenticity of
upstream commits and tarballs (when available. When it is not
available, educating upstream about it is required).
Obviously, sometimes due diligence is not done (some people are quite
lazy), and sometimes it is just plain impossible to do. And sometimes
the malicious change was done in such way that only a careful audit
would find it.
So, yes, you really risk it happening. If you want to minimize that
chance, Debian stable is your friend as the window of opportunity to
discover trojaned sources is much larger in stable than it is in testing
I'm not sure what the Debian project could do to make sure we're at
least doing everything that is humanly possible, *on every package* (we
already do it on many packages) to allow for early detection of trojaned
upstream releases or trojaned upstream VCS.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot