Re: Building packages with exact binary matches

On Fri, Sep 28, 2007 at 09:18:12PM -0500, Manoj Srivastava wrote: > On Fri, 28 Sep 2007 23:04:00 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > There is some other thing I do not like about the way Debian packages > > work. Every package I install can actually completely compromise my > > s

Re: Building packages with exact binary matches

On Fri, 28 Sep 2007 23:04:00 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > There is some other thing I do not like about the way Debian packages > work. Every package I install can actually completely compromise my > system, because the maintainer scripts are run as root. You can, of

Re: Building packages with exact binary matches

On Fri, Sep 28, 2007 at 11:04:00PM +0200, Martin Uecker wrote: > > There is some other thing I do not like about the way Debian > packages work. Every package I install can actually completely > compromise my system, because the maintainer scripts are run > as root. It would be nice if normal pack

Re: Building packages with exact binary matches

On Fri, Sep 28, 2007 at 09:05:59AM -0700, Don Armstrong wrote: > On Fri, 28 Sep 2007, Martin Uecker wrote: > > You are seriously stating that is as easy to hide a trojan in the > > source code as in the binary? > > Consider the fact that we've already had such a case,[1] whereas we've > not (to my

Re: Building packages with exact binary matches

On Fri, 28 Sep 2007, Martin Uecker wrote: > You are seriously stating that is as easy to hide a trojan in the > source code as in the binary? Consider the fact that we've already had such a case,[1] whereas we've not (to my knowledge) distributed a trojaned binary. I'm not sure which is easier to

Re: Building packages with exact binary matches

On Thu, Sep 27, 2007 at 06:31:58PM -0500, Manoj Srivastava wrote: > On Thu, 27 Sep 2007 11:28:47 +0200, Martin Uecker <[EMAIL PROTECTED]> said: [...] > >> But recompiling from what? If you do not get the exact same source, > >> you have no hope of getting the same result. > > > I had the impre

Re: Building packages with exact binary matches

On Thu, 27 Sep 2007 11:28:47 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > On Thu, Sep 27, 2007 at 02:26:49AM -0500, Manoj Srivastava wrote: >> On Wed, 26 Sep 2007 12:31:51 +0200, Martin Uecker <[EMAIL PROTECTED]> >> said: >> >> > On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wro

Re: Building packages with exact binary matches

On Thu, Sep 27, 2007 at 02:26:49AM -0500, Manoj Srivastava wrote: > On Wed, 26 Sep 2007 12:31:51 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote: > > >> Just because you have _heard_ anyone diss special relativity being > >> t

Re: Building packages with exact binary matches

Ben Finney <[EMAIL PROTECTED]> wrote: > Martin Uecker <[EMAIL PROTECTED]> writes: > > > On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote: > > > Ah, security through blissful ignorance :) You do not > > > actually trust the archive, or the developers, you trust the > > > s

Re: Building packages with exact binary matches

On Wed, 26 Sep 2007 12:31:51 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote: >> Just because you have _heard_ anyone diss special relativity being >> the sole reason to believe in it is in the same ball park as >> blissful, you k

Re: Building packages with exact binary matches

On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote: > On Wed, 26 Sep 2007 02:45:09 +0200, Martin Uecker <[EMAIL PROTECTED]> said: [...] > >> > No. I would trust the binaries if there are *no mails* from other > >> > >> Ah, security through blissful ignorance :) You do not actually

Re: Building packages with exact binary matches

On Wed, 26 Sep 2007 02:45:09 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote: >> On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <[EMAIL PROTECTED]> >> said: >> >> > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wro

Re: Building packages with exact binary matches

Martin Uecker <[EMAIL PROTECTED]> writes: > On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote: > > Ah, security through blissful ignorance :) You do not > > actually trust the archive, or the developers, you trust the > > silence. > > I trust special relativity, because n

Re: Building packages with exact binary matches

On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote: > On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote: > >> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> > >> s

Re: Building packages with exact binary matches

On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote: >> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> >> said: >> >> > It would be enough when just a few people are actually recomp

Re: Building packages with exact binary matches

Clint Adams <[EMAIL PROTECTED]> writes: > On Mon, Sep 24, 2007 at 06:16:57PM -0700, Russ Allbery wrote: >> Right now, it's also badly out of date in several respects and not in a >> position to lead any charge. Manoj and I have both been eaten by our >> respective day jobs, there are a ton of obv

Re: Building packages with exact binary matches

On Tue, Sep 25, 2007 at 01:03:27AM +0100, Benjamin A'Lee wrote: > On Tue, Sep 25, 2007 at 12:04:15AM +0200, Martin Uecker wrote: > > Manoj Srivastava <[EMAIL PROTECTED]> wrote: > > >Actually, if you do not trust the path down which a binary > > > package flows, you can not use any informati

Re: Building packages with exact binary matches

On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote: > On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > It would be enough when just a few people are actually recompiling the > > binaries and compare it to the official debian packages. Then > > *eve

Re: Building packages with exact binary matches

On Mon, Sep 24, 2007 at 06:16:57PM -0700, Russ Allbery wrote: > Right now, it's also badly out of date in several respects and not in a > position to lead any charge. Manoj and I have both been eaten by our > respective day jobs, there are a ton of obvious fixes that should go into > the next rele

Re: Building packages with exact binary matches

Clint Adams <[EMAIL PROTECTED]> writes: > On Mon, Sep 24, 2007 at 03:34:35PM +1000, Ben Finney wrote: >> You seem to be suggesting that policy should require this *before* it >> becomes common practice. That's not generally how policy is crafted: >> Debian policy generally does not prescribe packa

Re: Building packages with exact binary matches

On Tue, Sep 25, 2007 at 12:04:15AM +0200, Martin Uecker wrote: > Manoj Srivastava <[EMAIL PROTECTED]> wrote: > >Actually, if you do not trust the path down which a binary > > package flows, you can not use any information down that flow path to > > test your implementation. You need to do

Re: Building packages with exact binary matches

On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > Manoj Srivastava <[EMAIL PROTECTED]> wrote: >> On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <[EMAIL PROTECTED]> >> said: >> Actually, if you do not trust the path down which a binary package >> flows, you can not

Re: Building packages with exact binary matches

Manoj Srivastava <[EMAIL PROTECTED]> wrote: > On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > If policy would require the exact reproducability of binaries, then it > > would be a policy violation. > >That is not how things work around here. In a case l

Re: Building packages with exact binary matches

On Mon, 24 Sep 2007 03:30:48 -0400, Clint Adams <[EMAIL PROTECTED]> said: > On Mon, Sep 24, 2007 at 03:34:35PM +1000, Ben Finney wrote: >> You seem to be suggesting that policy should require this *before* it >> becomes common practice. That's not generally how policy is crafted: >> Debian policy

Re: Building packages with exact binary matches

On Mon, Sep 24, 2007 at 03:34:35PM +1000, Ben Finney wrote: > You seem to be suggesting that policy should require this *before* it > becomes common practice. That's not generally how policy is crafted: > Debian policy generally does not prescribe packaging practice, but > rather describes it. Cal

Re: Building packages with exact binary matches

Martin Uecker <[EMAIL PROTECTED]> writes: > If policy would require the exact reproducability of binaries, then > it would be a policy violation. You seem to be suggesting that policy should require this *before* it becomes common practice. That's not generally how policy is crafted: Debian polic

Re: Building packages with exact binary matches

On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <[EMAIL PROTECTED]> said: >> On Mon, 24 Sep 2007 00:54:58 +0200 >> Martin Uecker <[EMAIL PROTECTED]> wrote: >> >> > Neil Williams <[EMAIL PROTECTED]>: >> > > This has been covered before - certain upstream macros are among >> > > many factors tha

Re: Building packages with exact binary matches

> On Mon, 24 Sep 2007 00:54:58 +0200 > Martin Uecker <[EMAIL PROTECTED]> wrote: > > > Neil Williams <[EMAIL PROTECTED]>: > > > This has been covered before - certain upstream macros are among > > > many factors that ensure that this is unlikely. I, for one, use > > > such macros upstream to ind

Re: Building packages with exact binary matches

On Mon, 24 Sep 2007 00:54:58 +0200 Martin Uecker <[EMAIL PROTECTED]> wrote: > Neil Williams <[EMAIL PROTECTED]>: > > Martin Uecker <[EMAIL PROTECTED]> wrote: > > This has been covered before - certain upstream macros are among > > many factors that ensure that this is unlikely. I, for one, use su