[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Sat, Aug 03, 2013 at 08:46:53PM +1000, Aníbal Monsalve Salazar wrote:
> On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> > Not to mention the build tool chains.
> It reminds me of Ken Thompson's article Reflections on Trusting Trust.

Yes, that's what I'm alluding to. For attacking Debian, being a
maintainer of say, binutils or gcc would be best. But hey, there are
libtool, autotools-dev, autoconf etc. It would be adequately easy being
a maintainer of something in the kernel, of course, whatever it is.

What is that telling us? Well, we're all dependent on a web of trust –
even if we wouldn't use OpenPGP ;-)

And, please, don't let us start with mistrust here. It will lead us into
a situation, where we can't work together any more.

That is, by the way, the hugest threat I'm seeing with all those NSA
spying stuff: they're destroying what our community, they're destroying
what society is build on: trust.

There is no cooperation without trust, none. And there is none if all
power is owned by trusts…

pibit AG, Oberer Graben 4, 8400 Winterthur
mailto:vb@pibit.ch  Mobile +41 (79) 292 88 87

Attachment: pgp0aZstOV4RG.pgp
Description: PGP signature

Reply to: