Re: Rebuilding packages on *all* architectures
martin f krafft <madduck@debian.org> writes:
> also sprach Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> [2004.09.05.1807 +0200]:
>> The binary is needed because otherwise the -all packages would be
>> missing and there would be no deb package in the archive holding
>> the source in.
>
> I am not sure I understand that. Then the source should only
> propagate to unstable when the first buildd is done. Or at least,
> the buildd's DEB should replace the one in unstable.
For source only uploads two things have to work:
1) Some build needs to build -all debs.
2) The archive software needs to not delete sources without debs in
the archive if those source is the latest version (which could already
be the case).
>> Sure, the DD could insert some trojan into the binary. He could
>> also insert a trojan into the source. And you are aware of the
>> thread about that buildds are run partly by non DDs which can't be
>> trusted and thus the archive is tainted by the autobuild debs?
>
> I was not aware of this, and I consider it a horrible state of
> affairs. Seriously, if this becomes public, Debian is in serious
> trouble, I think.
>
>> A DD could also upload a binary recompile NMU with some flimsy
>> excuse for package foo with a trojan, then upload source for
>> package bar that Build-Depends: foo to get the trojan installed on
>> the buildds and then upload a new foo source to remove the tainted
>> foo and cover his tracks. The buildds would then be tainted and
>> could insert trojans into every build package.
>
> Oh dear.
>
>> I too think that the Debian autobuilders should compile the DEB files
>> for *all* architectures. The should also compile the Arch: all
>> packages. But security it the least of my worries.
>
> And it's among the greatest of mine.
I think you misunderstood me there since it was realy unclear. Of
course security is important. But I hardly consider security an
argument for needing source only uploads. If you can't trust binary
uploads from the maintainer then you can't trust the source without
having every upload audited.
There are other arguments for source only uploads like preventing
mistakes and misbuilds due to the uncontrolled build environment of
the DD. Lets face it, how many DDs build in a clean chroot?
Looking at other security vulnerabilities between the source upload
and the user installing the deb I think the binary upload is the
(one of) strongest point.
> Previously, I considered Debian to be among the secure distros,
> partially because of its cleanliness, partially because of QA. Now
> I am beginning to see Debian as a real problem in terms of security.
> No clue what the state is with the other distros, but who cares? The
> point is that the current infrastructure and its consequences do
> *not* make Debian a viable choice when security is a factor.
>
> Something has to be done. I am pondering...
If you want security then build from source. For the debs there are
currently way to many open holes where someone can attack. Debian is
getting more and more secure with apt-get/dpkg learning to actualy
check signatures and signed debs becoming more common and so on. But
for the last years Debian has run solely on trust between its members
and supporters.
MfG
Goswin
Reply to: