On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote: > That should help to defeat any kind of sophisticated backdoor on build > machines. Really? How do you detect, if maintainer's patches contain backdoors? If I would want to attack Debian, I would try to become the maintainer of one of the most harmless, most used packages. And believe me, you wouldn't see at the first glance, that this source code patch is containing a backdoor. I think, it's easy to do this at least while backporting security fixes – but not only. And, additionally: there is plausible deniability of doing so intentionally. We're all making mistakes, don't we? And we're all remembering the issue with key generation, I assume. Attacks on the build process don't seem to be the hugest threats. Not to mention the build tool chains. Yours, VB. -- pibit AG, Oberer Graben 4, 8400 Winterthur mailto:vb@pibit.ch Mobile +41 (79) 292 88 87
Attachment:
pgp4QtqNAUvXc.pgp
Description: PGP signature