Re: Compromising Debian Repositories

To: Daniel Sousa <daniel@sousa.me>
Cc: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: Paul Wise <pabs@debian.org>
Date: Sat, 3 Aug 2013 10:48:52 +0200
Message-id: <[🔎] CAKTje6Fxt9wdoEFh+g2bEmfjOWbF1e9tHTBLTGu23=MatLCx5Q@mail.gmail.com>
In-reply-to: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com>

On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:

> I was reading this [1] article and it brought a question do my mind: How
> hard would it be for the FBI or the NSA or the CIA to have a couple of
> agents infiltrated as package mantainers and seeding compromised packages to
> the official repositories?

Probably easy.

> Could they submit an uncompromised source and keep a small patch that they
> apply before building and sending it to the repository? Or is the building
> process done on Debian servers?

They could. All of the Architecture: all packages are built on
developer machines. For most packages, at least one architecture for
each architecture-specific binary package has been built on developer
machines. In practice this means arch all, amd64 and some i386
packages are built on developer machines. We have been talking about
changing this for a long time and there is a plan but the relevant
people haven't had time to implement it yet.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Compromising Debian Repositories
  - From: sp113438 <sp113438@telfort.nl>

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>

Prev by Date: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread