[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On 2013-08-04 09:50, intrigeri wrote:
> Hi,
>
> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote:
>>>> Volker Birk:
>>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
>>>>>> That should help to defeat any kind of sophisticated backdoor on build
>>>>>> machines.
>>>>> Really?
>>>>> How do you detect, if maintainer's patches contain backdoors?
>>>> Someone else builds the same package (binary) and detects a different
>>>> checksum. - That required deterministic builds.
>>> There will be the correct checksum, if the maintainer of the package
>>> does it.
>> Why?
>>> So no way to detect that with deterministic builds.
>> Why not?
> I believe you have missed something around "if maintainer's patches
> contain backdoors". Maintainer's patches are part of the source
> package, and applied to the source before the binary package is built.
> As you can see, it's obvious checksums and deterministic builds don't
> help in such a case.
>
> Cheers,

I think the real issue is about if the malicious patch is not part of
the source package. Then nobody could find that patch by reading the
source code.
Reply to: