Re: holes in secure apt
At Thu, 12 Jun 2014 18:35:39 +0200,
Christoph Anton Mitterer wrote:
> On Thu, 2014-06-12 at 10:30 +0200, Thorsten Glaser wrote:
> > The buildd-related software (and most people when doing manual builds
> > with cowbuilder) uses “apt-get source foo” to download the file, fully
> > assuming that apt-get ensures validation, so no “dscverify” is run on
> > the sources downloaded by apt. (If someone uses dget, either dget is
> > new enough to call dscverify, or they had better be doing that by hand.)
> Which is why we're possibly screwed already... even if the builds don't
> run as root... it seems like a rather easy way to get into the build
> hosts... and/or have forged source packages build and distributed.
> Just that NSA hasn't twittered yet that they didn't doesn't mean this is
> the case...
> So... @security-team: is there anything that is going to be done with
> respect to Debian's infrastructure? Or do we simply assume that noone
> tried that attack vector before?
The security team is responsible for releasing security updates, not
for securing Debian's infrastructure. See
https://wiki.debian.org/Teams/Security for more information.
And if you're really concerned with state actors backdooring Debian
packages, then please take a look at reproducible builds:
https://wiki.debian.org/ReproducibleBuilds. Securing all buildds and
the personal machines of all developers against such sophisticated
attackers is very difficult. Although we should of course do our best
to keep everything secure, I think the best way to make sure there are
no backdoors inserted when binary packages are built is to make it
easy to verify they are built from the correct source package.
The wiki page also has a nice "Useful things you (yes, you!) can do"