[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Mon, 05 Aug 2013 10:17:05 +0200
intrigeri <intrigeri@debian.org> wrote:

> Hi,
> I need a reality check, as it's unclear to me what are the goals of
> this discussion.
> Does anyone involved plan to work on improving things, and then we're
> discussing where it would be best to focus their energy? If that's the
> case, then I suggest we try to design solutions with baby steps that
> can realistically be implemented on the short term.
> Or is the goal simply to assess the security of our current
> infrastructure in various threat models? If that's the case, then how
> about clearly writing these threat models so that we can then reason
> on the same basis?
> Or is the goal something entirely different that I missed?

I don't think there is a goal, I think we are all ruefully conceding
that the much-vaunted Open Source process is simply unable to deliver
trustworthy code, since the process of compiling the Open Sources
to binary involves using utterly un-auditable binaries, running on
un-auditable processors manufactured by a very small number of

We can also assume that if something is technically possible, perhaps
involving the outright purchase or intimidation of a few hundred humans,
then the largest organised crime syndicates on the planet (a.k.a.
governments) will do it.


Reply to: