Hello, On Tue, Jun 21, 2016 at 01:22:15PM +0200, Adam Borowski wrote: > Debian is currently moving towards source-only uploads, but at the moment > binaries of at least one architecture are still required for NEW packages. > This is bad, as I could have snuck some nefarious code through, be it > accidentally (like, via having an experimental or out-of-Debian compiler or > a library installed) or to subvert security. Sure, it is possible to sneak > something nasty in the source (the Underhanded C Contest has some nice ideas > how, even in face of thorough review) but it's MASSIVELY easier to do it > undetected by uploading a binary that doesn't correspond to the source. > Thus, you have no assurance bytes-circle:amd64 is untainted. I think that we should avoid thinking that one purpose of source-only uploads is to deal with DDs and DMs intentionally subverting security by means of dodgy binaries. We already place a great deal of trust in those who can upload packages, and it doesn't make sense to say that, despite this trust, we need to block uploading binary .debs in case the DD/DM decides to intentionally upload something dodgy. The threat of accidently dodgy binaries is of course a very good reason for source-only uploads. Let me add to your list the possibility that the DD/DM's system is (partially) compromised and an attacker inserts a dodgy .deb which gets signed and uploaded, or an attacker replaces the C compiler or something like that. Perhaps I misunderstood you and you only had this latter case in mind. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature