Re: Recompilation of ALL Debian packages ...

To: debian-project@lists.debian.org
Subject: Re: Recompilation of ALL Debian packages ...
From: Russ Allbery <rra@debian.org>
Date: Thu, 31 Aug 2006 17:41:11 -0700
Message-id: <[🔎] 87fyfcfmfs.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 200608311606.03053.ceplm@seznam.cz> (Matej Cepl's message of "Thu, 31 Aug 2006 16:06:02 -0400")
References: <[🔎] 200608311021.08484.ceplm@seznam.cz> <20060831164738.GA3281@pcpool00.mathematik.uni-freiburg.de> <[🔎] 200608311606.03053.ceplm@seznam.cz>

Matej Cepl <ceplm@seznam.cz> writes:

> No, it is matter of accountability and being able to tell to the bank
> (mentioned in Martin's presentation) that we know who compiled the
> package and we have made reasonable precautions to be sure there are no
> trojans inside.

Rebuilding every package really doesn't buy you that much in the way of
security.  It makes it harder to hide what you did, but only harder; a
rogue uploader could obfuscate a trojan in source code rather well.  In
the end, we still trust people in the keyring.  About the only thing you
gain is the potential ability to do more detailed post-mortem analysis
after something already exploded.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Recompilation of ALL Debian packages ...
  - From: Sven Luther <sven.luther@wanadoo.fr>

References:
- Recompilation of ALL Debian packages ...
  - From: Matej Cepl <ceplm@seznam.cz>
- Re: Recompilation of ALL Debian packages ...
  - From: Matej Cepl <ceplm@seznam.cz>

Prev by Date: Re: Recompilation of ALL Debian packages ...
Next by Date: Re: Recompilation of ALL Debian packages ...
Previous by thread: Re: Recompilation of ALL Debian packages ...
Next by thread: Re: Recompilation of ALL Debian packages ...
Index(es):
- Date
- Thread