On ചൊവ്വ 03 ഒക്ടോബര് 2017 03:02 വൈകു, Simon McVittie wrote: > Presumably you verified that at the time *you* built the package, the > out-of-archive tools were of a non-malicious version, and were producing > compiled binaries (minified JavaScript, rather than actually binaries?) > that correspond to the source. It would probably be useful to write down > how you do this in debian/README.source if you haven't already. > > However, that verification isn't really sufficient if a rebuild > on the buildds could download an entirely different version of the > out-of-archive tools: a sufficiently inventive attacker who had gained > control over upstream's distribution channel could even arrange to serve > a non-malicious toolchain to your IP address, but then serve a malicious > version to Debian buildds' IP addresses. But debian buildds already prohibit network access during build and these packages has to be binary included always. So the theoretical security issue never manifests in practice. > At least that way, you have the opportunity to inspect the pre-built > binary (I hope "binary" here means a bundled/minified version that is > not the preferred form for modification but is somewhat human-readable, > rather than something as opaque as a compiled C binary) and have some > level of confidence that it corresponds to the source. That is how it is happening even now as it will always be built on a maintainers machine. Having pre-built binaries instead will only change the perception. It makes build process non standard and manual making it harder for others to build (will need to learn about nodejs specifics unlike the regular dpkg-buildpackage) or introduce possibilities of making mistakes (any manual steps can introduce mistakes). But as I already mentioned in my last mail, I will accept this advice, even though I'm not convinced.
Attachment:
signature.asc
Description: OpenPGP digital signature