Re: Compromising Debian Repositories
On Sat, 3 Aug 2013 10:48:52 +0200
Paul Wise <email@example.com> wrote:
> On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
> > I was reading this  article and it brought a question do my
> > mind: How hard would it be for the FBI or the NSA or the CIA to
> > have a couple of agents infiltrated as package mantainers and
> > seeding compromised packages to the official repositories?
> Probably easy.
> > Could they submit an uncompromised source and keep a small patch
> > that they apply before building and sending it to the repository?
> > Or is the building process done on Debian servers?
> They could. All of the Architecture: all packages are built on
> developer machines. For most packages, at least one architecture for
> each architecture-specific binary package has been built on developer
> machines. In practice this means arch all, amd64 and some i386
> packages are built on developer machines. We have been talking about
> changing this for a long time and there is a plan but the relevant
> people haven't had time to implement it yet.
It is easy to monitor all internet traffic on a test system.