Hi! * Felipe Figueiredo <philsf79@gmail.com> [080218 10:01]: > > Well, a rogue hacker would need to be quite skilled to add some kind of > > "bad" package. > > > > Let's assume he has created a bad package and got control over a mirror > How about a simpler attack vector: compromise a devel account, and sneak in a > patch to be automatically incorporated to a package. Is this feasible? > > I understand that this case would not reflect what the OP asked about, but > still. Yes, that would be an possible attack vector. But you would need to do more, than just brak into a devel account. Since package uploads of developers need to be signed with an pre-approved gpg-key, you would need to break into that, too (which I must confess is still possible). However, while it would then be possible to upload packages to debians unstable branch directly (and therefore could possibly [but IMHO unlikely] even get a package into the testing branch), you still don't get a package into a stable (point) release, since your manipulated package needs to pass the review of our stable release managers. Now keep in mind, that you in general can't get new upstream releases into a stable point release, and since the manipulated package has been uploaded before the manipulation, changing the source-code of the package won't work. So the only way you can get your manipulations in, is via the diff.gz of the source package. So it is more or less easy to review, what has been changed. Tools like "debdiff" to compare changes between packages make it even easier. So it is not impossible, but quite unlickely, that a manipulated package get's into a stable point release. (And you would still need to do some more to get your package in. E.G. a bug report of serious severity (or higher) which your package claims to fix, which of course will be tested; and all that while the Debian Developer whose account and gpg key you hacked isn't noticing anything.) The next attack vector would be to get a manipulated package into Debian's unstable branch, and hope it will make it into a stable release. That would be complicate and unlikely, too, but I'm too lazy now to write it all down ;) Yours sincerely, Alexander
Attachment:
signature.asc
Description: Digital signature