On Fri, Feb 09, 2007 at 02:44:37PM +0100, Francesco P. Lovergine wrote:
> The security implications of those practices should be evident to anyone.
This is (sorry) bullshit. Binary only uploads are _not_ less secure
than binary+source ones. Having a source side by side with the binary
module does not give more security than binary-only uploads.
For the sake of the argument, let's imagine a DD has become rogue and
want to root the whole archive, here is what he could do:
1. Do an upload of _any_ arch:any package in the archive that has
rdeps, repack the .deb he got with a slightly modified gcc binary,
hidden e.g. in the .rodata of one of his elf binaries, and use the
postinst of the package to "unpack" this copy to /usr/bin/gcc.
=> src+binary upload, only the binary is tainted.
2. Upload a rdep, with strict versioning, to force installation of
the rootkited package on _every_ DSA-controlled autobuilder.
=> src+binary upload again, clean packages.
3. Upload a new clean version of the package from (1) to eraces
obvious traces.
=> src+binary upload clean packages again.
4. Wait for a time (longer is better), and trigger the rootkit.
The trigger could be e.g. as soon as this or that package has its
revision that bumps over this value, making the trigger unrelated
to 1-2-3 actions, and making the action _very_ hard to trace (even
with snapshots.d.n)
At no stage the fact that the upload is not sourceless helped. src+bin
uploads is just a moral contract from the uploader that he did not faked
the build and tested it. a _moral_ constraint, not a technical one.
There is nothing related to security about forbidding binary only
uploads. That's IMHO mostly political. There are also _some_
technical[0] concerns, but if the political problems didn't exist in the
first place, those would be long gone IMHO.
[0] the first one is related to the build logs, but that's a non issue
as not so long ago it was possible to forward build logs built on
other buildds easily, so e.g. we could re-enable it for archs
where it's not possible anymore if the builder signed the build
logs, and ask for binary-uploads to come with the log.
The other problem is real too, it's related to wanna-build: if you
do "rogue" builds you may be in a case where an autobuilder is
already building that package, hence wasting resources.
--
·O· Pierre Habouzit
··O madcoder@debian.org
OOO http://www.madism.org
Attachment:
pgpftGcuJap6r.pgp
Description: PGP signature