At Thu, 12 Jun 2014 18:35:39 +0200, Christoph Anton Mitterer wrote: > > On Thu, 2014-06-12 at 10:30 +0200, Thorsten Glaser wrote: > > The buildd-related software (and most people when doing manual builds > > with cowbuilder) uses “apt-get source foo” to download the file, fully > > assuming that apt-get ensures validation, so no “dscverify” is run on > > the sources downloaded by apt. (If someone uses dget, either dget is > > new enough to call dscverify, or they had better be doing that by hand.) > Which is why we're possibly screwed already... even if the builds don't > run as root... it seems like a rather easy way to get into the build > hosts... and/or have forged source packages build and distributed. > > Just that NSA hasn't twittered yet that they didn't doesn't mean this is > the case... > So... @security-team: is there anything that is going to be done with > respect to Debian's infrastructure? Or do we simply assume that noone > tried that attack vector before?
The security team is responsible for releasing security updates, not for securing Debian's infrastructure. See https://wiki.debian.org/Teams/Security for more information. And if you're really concerned with state actors backdooring Debian packages, then please take a look at reproducible builds: https://wiki.debian.org/ReproducibleBuilds. Securing all buildds and the personal machines of all developers against such sophisticated attackers is very difficult. Although we should of course do our best to keep everything secure, I think the best way to make sure there are no backdoors inserted when binary packages are built is to make it easy to verify they are built from the correct source package. The wiki page also has a nice "Useful things you (yes, you!) can do" list. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87d2ed6ro9.wl%jer...@dekkers.ch
