Re: Compromising Debian Repositories
On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
> I was reading this  article and it brought a question do my mind: How
> hard would it be for the FBI or the NSA or the CIA to have a couple of
> agents infiltrated as package mantainers and seeding compromised packages to
> the official repositories?
> Could they submit an uncompromised source and keep a small patch that they
> apply before building and sending it to the repository? Or is the building
> process done on Debian servers?
They could. All of the Architecture: all packages are built on
developer machines. For most packages, at least one architecture for
each architecture-specific binary package has been built on developer
machines. In practice this means arch all, amd64 and some i386
packages are built on developer machines. We have been talking about
changing this for a long time and there is a plan but the relevant
people haven't had time to implement it yet.