Re: Preventing government subversion in Debian, verification of binary package uploads
+++ Erich Schubert [2013-08-24 14:51 +0200]:
> What I'd like to see is that for all packages (at least for all
> security relevant packages, including kernel, SSH, GPG, OpenSSL) every
> package is compiled multiple times, and checksums to verify that none
> of the build systems were compromised.
> There will probably be a number of challenges. From different library
> header versions, compiler versions to CPU architecture differences,
> race conditions and the use of randomization in the build process, a
> lot of parameters could cause different binary signatures. But if we
> can at least get the essential packages safe this way, it would be a
> good thing.
> And last but not least, all of this might already have been done and I
> just missed it.
> So at some point, I'd like to see Debian binaries verified by diverse
> double compilation, using a number of different compilers and
> different people in very different countries.
There was a very interesting BOF at debconf on a subject closely
related to this, which is being able to do binary-identical rebuilds
at all. That is a necessary pre-requisite for the above checks,
otherwise you'll always find differences that are just due to times,
dates, machine names, buildd configs etc.
It was not recorded, but there are good notes at:
gobby -c gobby.debian.org -n
which I think have been turned into this wiki page:
Quite a lot of people are interested in this, for various reasons, the
one you give being just one example. We did seem short of volunteers
to actually push this forward and make it happen, so as ever, if you'd
like to see this become a reality, do please get stuck in.
Principal hats: Linaro, Emdebian, Wookware, Balloonboard, ARM