On Fri, Feb 09, 2007 at 02:44:37PM +0100, Francesco P. Lovergine wrote: > The security implications of those practices should be evident to anyone. This is (sorry) bullshit. Binary only uploads are _not_ less secure than binary+source ones. Having a source side by side with the binary module does not give more security than binary-only uploads. For the sake of the argument, let's imagine a DD has become rogue and want to root the whole archive, here is what he could do: 1. Do an upload of _any_ arch:any package in the archive that has rdeps, repack the .deb he got with a slightly modified gcc binary, hidden e.g. in the .rodata of one of his elf binaries, and use the postinst of the package to "unpack" this copy to /usr/bin/gcc. => src+binary upload, only the binary is tainted. 2. Upload a rdep, with strict versioning, to force installation of the rootkited package on _every_ DSA-controlled autobuilder. => src+binary upload again, clean packages. 3. Upload a new clean version of the package from (1) to eraces obvious traces. => src+binary upload clean packages again. 4. Wait for a time (longer is better), and trigger the rootkit. The trigger could be e.g. as soon as this or that package has its revision that bumps over this value, making the trigger unrelated to 1-2-3 actions, and making the action _very_ hard to trace (even with snapshots.d.n) At no stage the fact that the upload is not sourceless helped. src+bin uploads is just a moral contract from the uploader that he did not faked the build and tested it. a _moral_ constraint, not a technical one. There is nothing related to security about forbidding binary only uploads. That's IMHO mostly political. There are also _some_ technical[0] concerns, but if the political problems didn't exist in the first place, those would be long gone IMHO. [0] the first one is related to the build logs, but that's a non issue as not so long ago it was possible to forward build logs built on other buildds easily, so e.g. we could re-enable it for archs where it's not possible anymore if the builder signed the build logs, and ask for binary-uploads to come with the log. The other problem is real too, it's related to wanna-build: if you do "rogue" builds you may be in a case where an autobuilder is already building that package, hence wasting resources. -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.org
Attachment:
pgpftGcuJap6r.pgp
Description: PGP signature