Re: Compromising Debian Repositories
> On 2013-08-04 09:50, intrigeri wrote:
>> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote:
>>>>> Volker Birk:
>>>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
>>>>>>> That should help to defeat any kind of sophisticated backdoor on build
>>>>>> How do you detect, if maintainer's patches contain backdoors?
>>>>> Someone else builds the same package (binary) and detects a different
>>>>> checksum. - That required deterministic builds.
>>>> There will be the correct checksum, if the maintainer of the package
>>>> does it.
>>>> So no way to detect that with deterministic builds.
>>> Why not?
>> I believe you have missed something around "if maintainer's patches
>> contain backdoors". Maintainer's patches are part of the source
>> package, and applied to the source before the binary package is built.
>> As you can see, it's obvious checksums and deterministic builds don't
>> help in such a case.
> I think the real issue is about if the malicious patch is not part of
> the source package. Then nobody could find that patch by reading the
> source code.
Patches no in the source package is what deterministic builds could
detect. I think he refers to patches that look good, but contain
sophisticated internally added vulnerabilities (trusting trust).