Yaroslav Halchenko <deb...@onerussian.com> writes: > script). The only way to completely prevent that would be to develop and > build packages in a completely isolated (virtual machine) environment
Interesting ideas but don't you also need to run the produced binaries in isolation? If we assume a malicious upstream they can surely make the build innocent but then have the produced binaries launch sudojump [1] in the background and have it root your machine the next time you use sudo. Since you mentioned ssh-agent: They can also use ssh-jack [2] to run commands on all machines where you have open ssh connections, they don't need to wait for you to start a new ssh connection. [1] http://seclists.org/bugtraq/2007/Jun/16 [2] http://www.storm.net.nz/projects/7 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/84sjxp32hx....@sauna.l.org
