Re: Recompilation of ALL Debian packages ...

To: debian-project@lists.debian.org
Subject: Re: Recompilation of ALL Debian packages ...
From: Russ Allbery <rra@debian.org>
Date: Sat, 02 Sep 2006 00:47:22 -0700
Message-id: <[🔎] 87zmdid81h.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20060902072126.GA26999@piper.madduck.net> (martin f. krafft's message of "Sat, 2 Sep 2006 09:21:26 +0200")
References: <200608311021.08484.ceplm@seznam.cz> <20060831164738.GA3281@pcpool00.mathematik.uni-freiburg.de> <200608311606.03053.ceplm@seznam.cz> <87fyfcfmfs.fsf@windlord.stanford.edu> <[🔎] 20060901110654.GA8692@piper.madduck.net> <[🔎] 8764g7kvdb.fsf@windlord.stanford.edu> <[🔎] 20060902064234.GA4853@piper.madduck.net> <[🔎] 87lkp2ep5q.fsf@windlord.stanford.edu> <[🔎] 20060902070103.GA6372@piper.madduck.net> <[🔎] 87d5aeeo8n.fsf@windlord.stanford.edu> <[🔎] 20060902072126.GA26999@piper.madduck.net>

martin f krafft <madduck@debian.org> writes:

> And yes, I still think there's a difference between the two scnearios: a
> clean source, 11 clean binaries, but one trojaned one against an unclean
> source and 12 unclean binaries. As someone else said, post-mortem it'll
> be *much* easier to deal with the latter.

I've thought about this for a while now (you mentioned it earlier as well)
and I can't see why the latter would be easier to deal with.  I'm curious
what difference you're seeing.  Either way, you still have to verify that
the source is now clean; there's no reason to assume, once a trojan is
discovered, that there was only *one* trojan, and source trojans can be
written to only manifest on one particular platform.

Certainly, binaries are essentially impossible to audit, so as soon as you
want the security of an audit, you have to start with source.  But
blocking upload of binaries doesn't help with that process at all.  It
only would if the ftpmasters or buildd admins were then going to audit the
source, which of course they're not and couldn't given the millions of
lines of source in Debian.

I can construct several artificial scenarios where source-only uploads
would lead to better security (such as postulating the existence of roving
source code auditors who look at all the Debian source packages), but none
of them describe Debian today or seem particularly likely to describe a
future Debian.

The reason why people get uncomfortable around this area of Debian's
security is because they *should* be; what they may miss is that the same
issues apply to *all* software, and they should be equally nervous about
any software they download off the net, in any form.  The largest
mitigation of the risk is that most software comes with chains of trust,
breaks in those chains of trust usually have other symptoms and are
discovered through other methods, and as soon as someone finds a problem
the word spreads fairly fast.  It would surprise me a great deal if SuSE
were any better at auditing the code they incorporate into their
distribution than Debian is.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Recompilation of ALL Debian packages ...
  - From: martin f krafft <madduck@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: Russ Allbery <rra@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: martin f krafft <madduck@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: Russ Allbery <rra@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: martin f krafft <madduck@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: Russ Allbery <rra@debian.org>
- Re: Recompilation of ALL Debian packages ...
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Recompilation of ALL Debian packages ...
Next by Date: Re: Recompilation of ALL Debian packages ...
Previous by thread: Re: Recompilation of ALL Debian packages ...
Next by thread: Re: Recompilation of ALL Debian packages ...
Index(es):
- Date
- Thread