Re: Compromising Debian Repositories

To: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: Rick Moen <rick@linuxmafia.com>
Date: Sat, 3 Aug 2013 10:36:16 -0700
Message-id: <[🔎] 20130803173616.GO20726@linuxmafia.com>
In-reply-to: <[🔎] 20130803101706.GA363@dingens.org>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] 51FCCA78.5080604@riseup.net> <[🔎] 20130803101706.GA363@dingens.org>

Quoting Volker Birk (vb@pibit.ch):

> Really?
> 
> How do you detect, if maintainer's patches contain backdoors? If I would
> want to attack Debian, I would try to become the maintainer of one of
> the most harmless, most used packages. And believe me, you wouldn't see
> at the first glance, that this source code patch is containing a
> backdoor....

Indeed, this whole line of query (from someone who cannot even bother to
read debian-legal and wants to be CCed; no thanks) is basically pretty
dumb and can be avoided by reading Ken Thompsen's 'Reflections on
Trusting Trust', contemplating the nature of the accountability and
tracking facilitated by the Debian maintainer process (and its design
limits), and, y'know, bothering to think a bit.

Reply to:

Follow-Ups:
- Re: Compromising Debian Repositories
  - From: Robert Tomsick <robert@tomsick.net>

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread