Re: leaks in our only-signed-software fortress
On Sat, 18 Feb 2012, Neil Williams wrote:
> On Sat, 18 Feb 2012 16:25:20 +0200
> Christoph Anton Mitterer <firstname.lastname@example.org> wrote:
> > Am 18.02.2012 14:40, schrieb Neil Williams:
> > >> I think as a start it should be made a policy that any "wrapper"
> > >> package that
> > >> downloads code from the net must at least do a strong checksum check
> > >> on the
> > >> downloaded code.
> > > Not possible to enforce as a 'MUST' because, by definition,
> > > third-party
> > > websites will not provide checksums for every possible download
> > > mechanism.
> > Well it's still possible then,... the maintainer can just calculate
> > sums on his own.
> Against what? The source is only downloaded from upstream once per
> upstream release, what is there to check against?
Upstream VCS, previous releases (when the diff is small enough), request
that upstream publish in an email message the sha1sum or sha256sum when they
announce a new release, etc.
How much it will protect Debian users, depends entirely where the trojan
instertion point was. So far, the more common insertion points have NOT
been upstream's development box, but rather the public distribution points
and vcs trees.
Heck, even for dead upstream you still get the stuff from the other distros
to compare Debian's with, even if you did it only to check for interesting
patches from other distros, it would still increase the chances of you
noticing something is weird.
And it is part of the job of a downstream maintainer to educate upstream
when necessary, even if it takes a lot of diplomacy and a lot of effort.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot