Re: Compromising Debian Repositories
I am really sorry if you think it's rude to start a topic here without subscribing. I thought that it was acceptable, since a lot of people do it in debian-users (I know it has a lot more volume than this one) and it's the default action when you click on "Reply to All" in most clients (well, probably a lot of people here use less standard email clients).
Anyway, I just subscribed to this list ;)
I am aware that it is possible to write obfuscated code that doesn't behave as expected, but I guess that the kind of people that usually write code like that aren't the kind of people that are accepted to write code for Debian.
This is a problem that is harder to tackle, so now I'm assuming that any code whose source is publicly available has got enough scrutiny and we can trust it.
What I was asking was about the case where the binary/package does not correspond to to the given source.
Hipotetically the NSA could pay off the maintaner of some libfoo or executablebar that is required by the debian core (hence, that must be installed in all Debian systems). Before compiling that package the developer could change it to include some trojan and provide the unmodified source.
In principle, deterministic builds would solve this problem, but I'm not sure how hard it is to accomplish (I'm not used to wirte compiled code). If there is a different version of the compiler, of some random lib or of some smaller thing, there could be some bytes that are differente, making it quite hard to reproduce. Creating an automated build server does not seam easy because there are packages written in a lot of languages that have a lot of different requirements.
To conclude, I just want to say that I don't have any problems trusting debians mantainers in general (I currently run Debian on my personal computers and I'm setting up a personal server, also using Debian). The problem here is that only one rogue mantainer could infect every Debian system with some trojan.
PS: I'm sorry if this one general answer breaks someone's threaded client, but I thinnk in this case it makes more sense one big answer than a lot of smaller replies.