Re: Recompilation of ALL Debian packages ...

To: Russ Allbery <rra@debian.org>
Cc: debian-project@lists.debian.org
Subject: Re: Recompilation of ALL Debian packages ...
From: Sven Luther <sven.luther@wanadoo.fr>
Date: Fri, 1 Sep 2006 02:57:27 +0200
Message-id: <[🔎] 20060901005727.GA11807@powerlinux.fr>
In-reply-to: <[🔎] 87fyfcfmfs.fsf@windlord.stanford.edu>
References: <[🔎] 200608311021.08484.ceplm@seznam.cz> <20060831164738.GA3281@pcpool00.mathematik.uni-freiburg.de> <[🔎] 200608311606.03053.ceplm@seznam.cz> <[🔎] 87fyfcfmfs.fsf@windlord.stanford.edu>

On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote:
> Matej Cepl <ceplm@seznam.cz> writes:
> 
> > No, it is matter of accountability and being able to tell to the bank
> > (mentioned in Martin's presentation) that we know who compiled the
> > package and we have made reasonable precautions to be sure there are no
> > trojans inside.
> 
> Rebuilding every package really doesn't buy you that much in the way of
> security.  It makes it harder to hide what you did, but only harder; a
> rogue uploader could obfuscate a trojan in source code rather well.  In
> the end, we still trust people in the keyring.  About the only thing you
> gain is the potential ability to do more detailed post-mortem analysis
> after something already exploded.

And the amount of breakage caused by actual mistakes of the uploader, like
having random sets of non-official libraries installed and such.

Friendly,

Sven Luther

Reply to:

References:
- Recompilation of ALL Debian packages ...
  - From: Matej Cepl <ceplm@seznam.cz>
- Re: Recompilation of ALL Debian packages ...
  - From: Matej Cepl <ceplm@seznam.cz>
- Re: Recompilation of ALL Debian packages ...
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Recompilation of ALL Debian packages ...
Previous by thread: Re: Recompilation of ALL Debian packages ...
Index(es):
- Date
- Thread