Re: Compromising Debian Repositories

To: debian-security@lists.debian.org, daniel@sousa.me
Subject: Re: Compromising Debian Repositories
From: adrelanos <adrelanos@riseup.net>
Date: Sat, 03 Aug 2013 09:16:40 +0000
Message-id: <[🔎] 51FCCA78.5080604@riseup.net>
In-reply-to: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com>

I think deterministic builds would be the best answer to ensure in long
term being free of backdoors.

A deterministic build process to allows multiple builders to create
identical binaries. This allows multiple parties to sign the resulting
binaries, guaranteeing that the binaries and tool chain were not
tampered with and that the same source was used. It removes the build
and distribution process as a single point of failure. [1]

That should help to defeat any kind of sophisticated backdoor on build
machines.

[1] Credit for most of this post goes to http://gitian.org/.

Reply to:

Follow-Ups:
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread