Re: Concerns about Security of packages in Debain OS and the Operating system itself.

To: lkcl <luke.leighton@gmail.com>
Cc: debian-devel@lists.debian.org, Daniel Pocock <daniel@pocock.pro>, Satvik Sinha <sinhasatvik214@gmail.com>, debian-project@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
From: Adam McKenna <adam@flounder.net>
Date: Mon, 23 May 2022 12:14:31 -0700
Message-id: <[🔎] CA+_b3XbKZhZH5WUOXXrQB0P9D6iPT67FuBtzioxyYGrPRkV0Og@mail.gmail.com>
In-reply-to: <[🔎] CAPweEDzj2y6_ccXCWjjRDJaZKOe445qMigxVK7aR9UkXZv4sww@mail.gmail.com>
References: <CAPCiBOS6_LLp6RHCxEma+oTKaXjhmT9FKWVOqR9t6etsRdXm9w@mail.gmail.com> <cd27db78-e65f-8b24-44a6-dd2b10f7d293@pocock.pro> <0BDBB0C6-4DB3-4C49-9EF0-60BDAAB9B6DA@gmail.com> <[🔎] CA+_b3XZ0cxzNavzmacfe3bm4T76AJ7zUr7hfvKEFT_fotPDBkw@mail.gmail.com> <[🔎] CAPweEDxbaZWTHosAfF95Xwkb3ar6wxH9CnZjQ4w2kGVEDvk9Ug@mail.gmail.com> <[🔎] CA+_b3XZDWEBd=bcWVimsT_a16JXj11rC4wsfYdddj90Noznviw@mail.gmail.com> <[🔎] CAPweEDzj2y6_ccXCWjjRDJaZKOe445qMigxVK7aR9UkXZv4sww@mail.gmail.com>

> they get one and only one chance to do something that stupid.

So the answer is that we have no way of preventing a developer from intentionally sabotaging a package in any / as many ways as they choose and the only risk to them is losing their uploader access after the fact?

>the response is swift: there was a debian developer wrongfully arrested for running a TOR exit node. their key was revoked immediately.

How was this incident detected?

On Mon, May 23, 2022 at 12:07 PM lkcl <luke.leighton@gmail.com> wrote:

On Mon, May 23, 2022 at 7:59 PM Adam McKenna <adam@flounder.net> wrote:
> You are talking about a deterrent though. I think the question is,
> what if someone cares more about their political cause than
> retaining their uploader access?

they get one and only one chance to do something that stupid.

> What if someone's keys are compromised

the response is swift: there was a debian developer wrongfully
arrested for running a TOR exit node. their key was revoked
immediately.

l.

Reply to:

References:
- Re: Concerns about Security of packages in Debain OS and the Operating system itself.
  - From: Adam McKenna <adam@flounder.net>
- Re: Concerns about Security of packages in Debain OS and the Operating system itself.
  - From: lkcl <luke.leighton@gmail.com>
- Re: Concerns about Security of packages in Debain OS and the Operating system itself.
  - From: Adam McKenna <adam@flounder.net>
- Re: Concerns about Security of packages in Debain OS and the Operating system itself.
  - From: lkcl <luke.leighton@gmail.com>

Prev by Date: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Next by Date: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Previous by thread: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Next by thread: Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Index(es):
- Date
- Thread