[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [GR] DD should be allowed to perform binary-only uploads



On Fri, Feb 09, 2007 at 02:44:37PM +0100, Francesco P. Lovergine wrote:
> The security implications of those practices should be evident to anyone. 

  This is (sorry) bullshit. Binary only uploads are _not_ less secure
than binary+source ones. Having a source side by side with the binary
module does not give more security than binary-only uploads.

  For the sake of the argument, let's imagine a DD has become rogue and
want to root the whole archive, here is what he could do:

  1. Do an upload of _any_ arch:any package in the archive that has
     rdeps, repack the .deb he got with a slightly modified gcc binary,
     hidden e.g. in the .rodata of one of his elf binaries, and use the
     postinst of the package to "unpack" this copy to /usr/bin/gcc.

     => src+binary upload, only the binary is tainted.

  2. Upload a rdep, with strict versioning, to force installation of
     the rootkited package on _every_ DSA-controlled autobuilder.

     => src+binary upload again, clean packages.

  3. Upload a new clean version of the package from (1) to eraces
     obvious traces.

     => src+binary upload clean packages again.

  4. Wait for a time (longer is better), and trigger the rootkit.
     The trigger could be e.g. as soon as this or that package has its
     revision that bumps over this value, making the trigger unrelated
     to 1-2-3 actions, and making the action _very_ hard to trace (even
     with snapshots.d.n)

  At no stage the fact that the upload is not sourceless helped. src+bin
uploads is just a moral contract from the uploader that he did not faked
the build and tested it. a _moral_ constraint, not a technical one.


  There is nothing related to security about forbidding binary only
uploads. That's IMHO mostly political. There are also _some_
technical[0] concerns, but if the political problems didn't exist in the
first place, those would be long gone IMHO.



  [0] the first one is related to the build logs, but that's a non issue
      as not so long ago it was possible to forward build logs built on
      other buildds easily, so e.g. we could re-enable it for archs
      where it's not possible anymore if the builder signed the build
      logs, and ask for binary-uploads to come with the log.

      The other problem is real too, it's related to wanna-build: if you
      do "rogue" builds you may be in a case where an autobuilder is
      already building that package, hence wasting resources.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgp65rw4dPdTZ.pgp
Description: PGP signature


Reply to: