[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
> That should help to defeat any kind of sophisticated backdoor on build
> machines.


How do you detect, if maintainer's patches contain backdoors? If I would
want to attack Debian, I would try to become the maintainer of one of
the most harmless, most used packages. And believe me, you wouldn't see
at the first glance, that this source code patch is containing a
backdoor. I think, it's easy to do this at least while backporting
security fixes – but not only. And, additionally: there is plausible
deniability of doing so intentionally. We're all making mistakes, don't

And we're all remembering the issue with key generation, I assume.
Attacks on the build process don't seem to be the hugest threats.
Not to mention the build tool chains.

pibit AG, Oberer Graben 4, 8400 Winterthur
mailto:vb@pibit.ch  Mobile +41 (79) 292 88 87

Attachment: pgp4QtqNAUvXc.pgp
Description: PGP signature

Reply to: