[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories


adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote:
>>> Volker Birk:
>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
>>>>> That should help to defeat any kind of sophisticated backdoor on build
>>>>> machines.
>>>> Really?
>>>> How do you detect, if maintainer's patches contain backdoors?
>>> Someone else builds the same package (binary) and detects a different
>>> checksum. - That required deterministic builds.
>> There will be the correct checksum, if the maintainer of the package
>> does it.

> Why?

>> So no way to detect that with deterministic builds.

> Why not?

I believe you have missed something around "if maintainer's patches
contain backdoors". Maintainer's patches are part of the source
package, and applied to the source before the binary package is built.
As you can see, it's obvious checksums and deterministic builds don't
help in such a case.

  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Reply to: